public override void OnAuthorization(AuthorizationContext context) { Logger.Trace("OnAuthorization"); if (Permissions == null) { throw new InvalidOperationException("No permission sets found"); } if (PrincipalProvider == null) { throw new InvalidOperationException("No principal provider found"); } var user = PrincipalProvider.GetCurrent(); var authorized = actions.Any(action => Permissions.CanPerform(user, resourceType, action)); if (authorized) { return; } context.Result = new HttpForbiddenResult(); Logger.Warn("unauthorized access detected by {0}", user == null ? "Anonymous" : user.Identity.Name); }