protected override bool AuthorizeCore(HttpContextBase httpContext) { if (!base.AuthorizeCore(httpContext)) { return(false); } LoginUser login_user = httpContext.Session[Constants.SSKEY_LOGIN_USER] as LoginUser; if (login_user == null || !login_user.IsStaff()) { throw new HttpException(403, "Forbidden."); } return(true); }