Add a new ForbiddenResult

[HaoK]

This would be almost identical to ChallengeResult, except it calls Forbid instead of Challenge, which would make it easier to directly specify access denied flows (i.e. signal cookies to redirect to the access denied page).

[tuespetre]

Is there going to be a 'convenience' controller method for this? 💡

[yukozh]

I don't think implement a ForbiddenResult is a good way to solve forbidden requests. It will make a lot of redirects. Why not implement a PromptResult and make it render a View to solve the most of requires in MVC?

        [NonAction]
        protected IActionResult Prompt(Prompt prompt)
        {
            Response.StatusCode = prompt.StatusCode;
            return View("Prompt", prompt);
        }

    public class Prompt
    {
        public string Title { get; set; }
        public int StatusCode { get; set; } = 200;
        public string Details { get; set; }
        public string RedirectUrl { get; set; }
        public string RedirectText { get; set; }
        public string Requires { get; set; }
        public dynamic Hint { get; set; }
    }

        public virtual void HandleUnauthorizedRequest(ActionExecutingContext context)
        {
            var prompt = new Prompt
            {
                Title = "Permission Denied",
                StatusCode = 403,
                Details = "You must sign in with a higher power account.",
                Requires = "ClaimsOrRoles",
                Hint = new { Roles = roles, Claims = claimTypes }
            };
            var services = context.HttpContext.ApplicationServices;
            context.Result = new ViewResult
            {
                StatusCode = prompt.StatusCode,
                TempData = new TempDataDictionary(services.GetRequiredService<IHttpContextAccessor>(), services.GetRequiredService<ITempDataProvider>()),
                ViewName = "Prompt",
                ViewData = new ViewDataDictionary(new EmptyModelMetadataProvider(), context.ModelState) { Model = prompt }
            };
        }

            var post = DB.Posts
                .Include(x => x.Tags)
                .Where(x => x.Url == id)
                .SingleOrDefault();
            if (post == null) return Prompt(new Prompt
            {
                StatusCode = 404,
                Title = SR["Not Found"],
                Details = SR["The resources have not been found, please check your request."],
                RedirectUrl = Url.Link("default", new { controller = "Home", action = "Index" }),
                RedirectText = SR["Back to home"]
            });

[Eilon]

@kagamine I believe this is just about sending a 403 to the client. Another middleware can certainly intercept that result and do some alternate behavior.

[Eilon]

@pranavkm can you look at Forbidden as well as Challenge? Currently the MVC template manufactures ChallengeResults on its own - maybe it could also use a helper?

[pranavkm]

@tuespetre missed your comment when making this change. ChallengeResult is also missing a convenience controller method. @Eilon \ @danroth27, should we add Controller.Forbid, \ Controller.Challenge?

[Eilon]

@pranavkm yes we want those for use in the templates as well.