From 85d35b3a69f4cb7552250fe3a044a60f6c9b6ffa Mon Sep 17 00:00:00 2001
From: Bjarke Berg <mail@bergmania.dk>
Date: Mon, 8 Apr 2024 11:14:25 +0200
Subject: [PATCH] Ensure the user is authenticated to see
 webprofiler/miniprofiler logs (#16007)

---
 .../Profiler/ConfigureMiniProfilerOptions.cs    | 17 ++++++++++++++---
 .../Repositories/WebProfilerRepository.cs       |  2 +-
 2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/src/Umbraco.Web.Common/Profiler/ConfigureMiniProfilerOptions.cs b/src/Umbraco.Web.Common/Profiler/ConfigureMiniProfilerOptions.cs
index 4239ba1737..e005183d2b 100644
--- a/src/Umbraco.Web.Common/Profiler/ConfigureMiniProfilerOptions.cs
+++ b/src/Umbraco.Web.Common/Profiler/ConfigureMiniProfilerOptions.cs
@@ -1,5 +1,8 @@
+using System.Security.Claims;
+using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.Options;
+using OpenIddict.Abstractions;
 using StackExchange.Profiling;
 using Umbraco.Cms.Core.Configuration.Models;
 using Umbraco.Cms.Core.Hosting;
@@ -35,9 +38,17 @@ internal sealed class ConfigureMiniProfilerOptions : IConfigureOptions<MiniProfi
         options.IgnoredPaths.Add(WebPath.Combine(options.RouteBasePath, "results-index"));
         options.IgnoredPaths.Add(WebPath.Combine(options.RouteBasePath, "results"));
 
-        options.ResultsAuthorize = IsBackofficeUserAuthorized;
-        options.ResultsListAuthorize = IsBackofficeUserAuthorized;
+        options.ResultsAuthorizeAsync = IsBackofficeUserAuthorized;
+        options.ResultsListAuthorizeAsync = IsBackofficeUserAuthorized;
     }
 
-    private bool IsBackofficeUserAuthorized(HttpRequest request) => true;// FIXME when we can get current backoffice user, _backOfficeSecurityAccessor.BackOfficeSecurity?.CurrentUser is not null;
+    private async Task<bool> IsBackofficeUserAuthorized(HttpRequest request)
+    {
+        AuthenticateResult authenticateResult = await request.HttpContext.AuthenticateBackOfficeAsync();
+        ClaimsIdentity? identity = authenticateResult.Principal?.GetUmbracoIdentity();
+
+        return identity?.GetClaims(Core.Constants.Security.AllowedApplicationsClaimType)
+            .InvariantContains(Core.Constants.Applications.Settings) ?? false;
+
+    }
 }
diff --git a/src/Umbraco.Web.Common/Repositories/WebProfilerRepository.cs b/src/Umbraco.Web.Common/Repositories/WebProfilerRepository.cs
index 52eaaf04ca..44dc862e96 100644
--- a/src/Umbraco.Web.Common/Repositories/WebProfilerRepository.cs
+++ b/src/Umbraco.Web.Common/Repositories/WebProfilerRepository.cs
@@ -21,7 +21,7 @@ internal class WebProfilerRepository : IWebProfilerRepository
     {
         if (status)
         {
-            _httpContextAccessor.GetRequiredHttpContext().Response.Cookies.Append(CookieName, string.Empty, new CookieOptions { Expires = DateTime.Now.AddYears(1) });
+            _httpContextAccessor.GetRequiredHttpContext().Response.Cookies.Append(CookieName, "1", new CookieOptions { Expires = DateTime.Now.AddYears(1) });
         }
         else
         {