Authorization inside a controller action

Sometimes, it may be required to change the behavior after processing the request based on the principal. In such scenarios, we can implement authorization in a controller action. For example, if you would like to manipulate the response based on the user's role, we can verify the logged-in user role from the ApiController.User property in the action method itself:

public HttpResponseMessage Get()
{
    if (!User.IsInRole("Admin"))
    {
        // manipulate the response to eliminate information that shouldn't be shared with non admin users
    }
}