Ensure the user is authenticated to see webprofiler/miniprofiler logs (#16007)

2024-04-08 11:14:25 +02:00
parent b552ccb885
commit 85d35b3a69
2 changed files with 15 additions and 4 deletions
--- a/src/Umbraco.Web.Common/Profiler/ConfigureMiniProfilerOptions.cs
+++ b/src/Umbraco.Web.Common/Profiler/ConfigureMiniProfilerOptions.cs
@@ -1,5 +1,8 @@
+using System.Security.Claims;
+using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.Options;
+using OpenIddict.Abstractions;
 using StackExchange.Profiling;
 using Umbraco.Cms.Core.Configuration.Models;
 using Umbraco.Cms.Core.Hosting;
@@ -35,9 +38,17 @@ internal sealed class ConfigureMiniProfilerOptions : IConfigureOptions<MiniProfi
        options.IgnoredPaths.Add(WebPath.Combine(options.RouteBasePath, "results-index"));
        options.IgnoredPaths.Add(WebPath.Combine(options.RouteBasePath, "results"));

-        options.ResultsAuthorize = IsBackofficeUserAuthorized;
-        options.ResultsListAuthorize = IsBackofficeUserAuthorized;
+        options.ResultsAuthorizeAsync = IsBackofficeUserAuthorized;
+        options.ResultsListAuthorizeAsync = IsBackofficeUserAuthorized;
    }

-    private bool IsBackofficeUserAuthorized(HttpRequest request) => true;// FIXME when we can get current backoffice user, _backOfficeSecurityAccessor.BackOfficeSecurity?.CurrentUser is not null;
+    private async Task<bool> IsBackofficeUserAuthorized(HttpRequest request)
+    {
+        AuthenticateResult authenticateResult = await request.HttpContext.AuthenticateBackOfficeAsync();
+        ClaimsIdentity? identity = authenticateResult.Principal?.GetUmbracoIdentity();
+
+        return identity?.GetClaims(Core.Constants.Security.AllowedApplicationsClaimType)
+            .InvariantContains(Core.Constants.Applications.Settings) ?? false;
+
+    }
 }
--- a/src/Umbraco.Web.Common/Repositories/WebProfilerRepository.cs
+++ b/src/Umbraco.Web.Common/Repositories/WebProfilerRepository.cs
@@ -21,7 +21,7 @@ internal class WebProfilerRepository : IWebProfilerRepository
    {
        if (status)
        {
-            _httpContextAccessor.GetRequiredHttpContext().Response.Cookies.Append(CookieName, string.Empty, new CookieOptions { Expires = DateTime.Now.AddYears(1) });
+            _httpContextAccessor.GetRequiredHttpContext().Response.Cookies.Append(CookieName, "1", new CookieOptions { Expires = DateTime.Now.AddYears(1) });
        }
        else
        {