public override void OnAuthorization(HttpActionContext actionContext) { var principal = actionContext.RequestContext.Principal as ClaimsPrincipal; if (!principal.Identity.IsAuthenticated) { actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Unauthorized); return; } var userStore = new UserStore <ApplicationUser>(new ApplicationDbContext()); var userManager = new UserManager <ApplicationUser>(userStore); //var user = userManager.FindByNameAsync(principal.Identity.Name); var user = (new ApplicationDbContext()).Users.Include(x => x.Roles).FirstOrDefault(x => x.UserName == principal.Identity.Name); if (user == null) { actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Unauthorized); } bool hasPermission = false; foreach (var role in user.Roles) { var module = new ModuloRepository().GetByName(Modulo); var action = new AccionesRepository().GetByName(ActionName, module.ModuloId); if (action != null && new AccionesRoleRepository().exist(module.ModuloId, action.AccionesId, role.RoleId)) { hasPermission = true; break; } } if (!hasPermission) { actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Forbidden); //return Task.FromResult<object>(null); } //User is Authorized, complete execution //return Task.FromResult<object>(null); }