mercredi 22 juillet 2015

How to disable disabled account to use applicaton

ASP .NET MVC3 application uses login controller from MVC3 application template below.

User enters user name and password and click "remember me" checkbox. Authorization cookie is stored in browser and credentials are no more asked on subsequent accesses.

User can disabled by setting disavled column in accounts database. If such user tries to log on membership provider returns error and login failed.

However if user is already logged in, membership provider is not called. Disabled user can continue to use application. How to fix this so that disabled user cannot use application ?

LogOn controller is basically from Visual Studio MVC3 sample application template:

    [HttpPost]
    public ActionResult LogOn(LogOnModel model, string returnUrl)
    {
        if (string.IsNullOrWhiteSpace(model.UserName) || string.IsNullOrWhiteSpace(model.Password))
        {
            ModelState.AddModelError("", "User or password not filled");
            return View(model);
        }
        if (MembershipService.ValidateUser(model.UserName, model.Password))
        {
            FormsService.SignIn(model.UserName, model.RememberMe);
            if (!String.IsNullOrEmpty(returnUrl))
                return Redirect(returnUrl);
            return RedirectToAction("Index", "Home");
        }
        else
        {
            ModelState.AddModelError("", "Logon error");
        }
        return View(model);
    }

Aucun commentaire:

Enregistrer un commentaire