Published on

Getting a WebApi2 controller to return HttpStatusCode.Forbidden

Authors
  • avatar
    Name
    Mike Barram
    Twitter

If your WebApi controller is checking that the user has permission to view a particular record and it turns out that they don’t then you will want to return a status of Forbidden, rather than Unauthorized as discussed here: http://stackoverflow.com/questions/238437/why-does-authorizeattribute-redirect-to-the-login-page-for-authentication-and-au/5844884#5844884

(You might also want to override the AuthorizeAttribute class as described there)

WebApi2 controllers now return IHttpActionResult rather than HttpResponseMessage (see http://stackoverflow.com/questions/21758615/why-should-i-use-ihttpactionresult-instead-of-httpresponsemessage). It’s easy to return a result from the System.Web.Http.Results Namespace e.g. return Unauthorized();
But the namespace doesn’t contain Forbidden, so instead use:

return ResponseMessage(new HttpResponseMessage(HttpStatusCode.Forbidden));

Or, more simply:

return StatusCode(HttpStatusCode.NotFound);
Discuss on TwitterView on GitHub