From 22328598dbbb22b36fb395e52507eeba9c3c3000 Mon Sep 17 00:00:00 2001
From: Elitsa Marinovska <21998037+elit0451@users.noreply.github.com>
Date: Tue, 11 Apr 2023 15:41:55 +0200
Subject: [PATCH] Adding dedicated Forbidden and Unauthorized handling for
 members (#14036)

---
 .../Filters/UmbracoMemberAuthorizeFilter.cs       | 15 ++++++++++++---
 .../Security/ConfigureMemberCookieOptions.cs      |  7 +++++++
 2 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/src/Umbraco.Web.Common/Filters/UmbracoMemberAuthorizeFilter.cs b/src/Umbraco.Web.Common/Filters/UmbracoMemberAuthorizeFilter.cs
index 351ea6e1bf..95c4ae5cec 100644
--- a/src/Umbraco.Web.Common/Filters/UmbracoMemberAuthorizeFilter.cs
+++ b/src/Umbraco.Web.Common/Filters/UmbracoMemberAuthorizeFilter.cs
@@ -54,11 +54,20 @@ public class UmbracoMemberAuthorizeFilter : IAsyncAuthorizationFilter
 
         IMemberManager memberManager = context.HttpContext.RequestServices.GetRequiredService<IMemberManager>();
 
-        if (!await IsAuthorizedAsync(memberManager))
+        if (memberManager.IsLoggedIn())
+        {
+            if (!await IsAuthorizedAsync(memberManager))
+            {
+                context.HttpContext.SetReasonPhrase(
+                    "Resource restricted: the member is not of a permitted type or group.");
+                context.Result = new ForbidResult();
+            }
+        }
+        else
         {
             context.HttpContext.SetReasonPhrase(
-                "Resource restricted: either member is not logged on or is not of a permitted type or group.");
-            context.Result = new ForbidResult();
+                "Resource restricted: the member is not logged in.");
+            context.Result = new UnauthorizedResult();
         }
     }
 
diff --git a/src/Umbraco.Web.Common/Security/ConfigureMemberCookieOptions.cs b/src/Umbraco.Web.Common/Security/ConfigureMemberCookieOptions.cs
index 1e0960fbc7..9aa073483a 100644
--- a/src/Umbraco.Web.Common/Security/ConfigureMemberCookieOptions.cs
+++ b/src/Umbraco.Web.Common/Security/ConfigureMemberCookieOptions.cs
@@ -1,4 +1,5 @@
 using Microsoft.AspNetCore.Authentication.Cookies;
+using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.Extensions.Options;
 using Umbraco.Cms.Core.Routing;
@@ -44,6 +45,12 @@ public sealed class ConfigureMemberCookieOptions : IConfigureNamedOptions<Cookie
                 // When we are signed in with the cookie, assign the principal to the current HttpContext
                 ctx.HttpContext.SetPrincipalForRequest(ctx.Principal);
 
+                return Task.CompletedTask;
+            },
+            OnRedirectToAccessDenied = ctx =>
+            {
+                ctx.Response.StatusCode = StatusCodes.Status403Forbidden;
+
                 return Task.CompletedTask;
             },
         };