I ended up modifying this slightly to use ActionFilterAttribute instead of AuthorizeAttribute.
In case this is of use to anyone here is the code:
[AttributeUsage(AttributeTargets.Method | AttributeTargets.Class)]
public class ChangePasswordAttribute : ActionFilterAttribute
{
/// <summary>
/// Filter on executing
/// </summary>
/// <param name="filterContext">The current action context</param>
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
if (filterContext == null)
{
throw new ArgumentNullException("filterContext");
}
// Don't redirect to "Change Password" action if it is the current action
if (filterContext.Controller is ApplicantController &&
MVC.Applicant.ActionNames.ChangePassword.Equals(filterContext.ActionDescriptor.ActionName))
{
return;
}
// Redirect if password change is required
if ((filterContext.HttpContext.Session[SessionKeys.PasswordChangeRequired] != null)
&& (bool)filterContext.HttpContext.Session[SessionKeys.PasswordChangeRequired])
{
// Save route in session so the user can be redirected appropriately after a successful password change
RouteValueDictionary routeValues = new RouteValueDictionary(filterContext.RouteData.Values);
filterContext.HttpContext.Session[SessionKeys.PasswordChangeRouteValues] = routeValues;
filterContext.Result = new RedirectToRouteResult(
new RouteValueDictionary
{
{ "controller", MVC.Applicant.Name },
{ "action", MVC.Applicant.ActionNames.ChangePassword }
});
}
}
}