User.IsInRole fails for one action but not for another

Question

I've put a custom authorize attribute into my MVC application, which does

if (!this.Roles.Split(',').Any(filterContext.HttpContext.User.IsInRole))

and if true it will redirect you to unauthorised.

I put this attribute on my controller at controller level.

One action works fine, and in one action I get unauthorised.

Is there some bug or problem in the role system? I've read that logging out and in can force some cache to refresh or something, however the system I am using authenticates with your domain credentials so there is no way to log out.

I've tried restarting the app pool and deleting my session cookie but nothing has worked.

Has anyone experienced this specific issue before or has some guidance on perhaps flushing any caching related to it (assuming it's a caching issue)?

ETA: Another user on the system gave himself the role required for the controller and both actions work fine for him. So perhaps my user is somehow bugged. This is on UAT so slightly more difficult to debug than running on my local machine (which works fine).

ETA2: I'm pretty sure this is a caching issue, as going to the URL with ?1=1 in the query string, it works. I'm unable to invalidate the cache though. This may be a problem in the future when assigning roles to people.

Answer 1

First, we need more code before we could possibly give you any definitive answers. However:

1. Caching could be a problem. If you're using anything like OutputCache, you should ensure that you're using VaryByCustom and somehow including the user's id or other identifying token in the custom string returned.

2. If you're adding roles to users, you must either log the user out and sign them back in, or otherwise invalidate their authorization. In Identity, for example, you can simply invalidate the security stamp, which will cause the user to be reauthorized, updating things like claims or roles that have changed since they signed in.