Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • David Armitage 479 posts 2008 karma points
    Jun 12, 2021 @ 14:42
    David Armitage
    0

    Umbraco 9 AuthorizationFilter - User Always Null

    Hi All,

    I am trying to create an AuthorizationFilter filter in Umbraco 9.

    public bool Authorize([NotNull] DashboardContext context)
    {
          var httpContext = context.GetHttpContext();
          var authService = httpContext.RequestServices.GetRequiredService<IAuthorizationService>();
          bool success = authService.AuthorizeAsync(httpContext.User, this.policyName).ConfigureAwait(false).GetAwaiter().GetResult().Succeeded;
          return success;
    }
    

    The trouble is the user from the context is always null regardless to if I am logged in to Umbraco or not.

    I am trying to port this code over from Umbraco 8.

    public bool Authorize(DashboardContext context)
    {
           var http = new HttpContextWrapper(HttpContext.Current);
           var ticket = http.GetUmbracoAuthTicket();
           http.AuthenticateCurrentRequest(ticket, true);
    
           var user = Current.UmbracoContext.Security.CurrentUser;
    
           return user != null && user.Groups.Any(g => g.Alias == "admin");
    }
    

    Any ideas - I am guessing I am missing something valuable from the startup.cs.

    Thanks in Advance

    Regards

    David

  • Mathias Hove 11 posts 71 karma points
    Jun 12, 2021 @ 19:55
    Mathias Hove
    0

    HI David.

    You should try

    using Umbraco.Extensions;
    HttpContext.User.GetUmbracoIdentity()
    

    This should give you the Umbraco user instead of a member. I THINK. Not 100% sure :)

  • David Armitage 479 posts 2008 karma points
    Jun 13, 2021 @ 01:52
    David Armitage
    0

    Unfortunately that didn't work.

    It looks like the user isn't in context at that stage. This might not be as easy as first though.

    I think I will get hangfire working without this. I have managed to get it working with authorization disabled. I also got it working using a username and password.

    I just wanted to go one step further and get this working only for logged in users.

    Maybe I will revisit this at a later date.

    enter image description here

  • David Armitage 479 posts 2008 karma points
    Jun 13, 2021 @ 04:36
    David Armitage
    0

    Just adding a bit of context here.

    This is relating to this article I wrote.

    https://www.umbrajobs.com/blog/posts/2021/june/umbraco-9-configuring-hangfire-scheduled-tasks/

    Getting up and running with Hangfire for Umbraco 9.

    I am fully up and running with Hangfire but there is this last issue (related to this task) preventing me from security the Hangfire dashboard based on if the Umbraco user is logged in or not.

    Kind Regards

    David

  • Marc Goodson 1626 posts 10769 karma points MVP 6x c-trib
    Jun 13, 2021 @ 11:15
    Marc Goodson
    2

    Hi David

    Just guessing from the code, but have you tried injecting BackofficeSecurityAccessor?

    I saw this PR here: https://github.com/umbraco/Umbraco-CMS/pull/8871/files

    and on another PR about removing UmbracoBackofficeIdentity

    https://github.com/umbraco/Umbraco-CMS/pull/9833#issuecomment-783593383

    there is the suggestion of

    _backOfficeSecurityAccessor.BackOfficeSecurity.CurrentUser
    

    (after injecting the BackOfficeSecurityAccessor)

    being the new way to access the current backoffice user, but I haven't tried it!

    regards

    marc

  • Sebastiaan Janssen 4966 posts 14967 karma points MVP admin hq
    Jun 14, 2021 @ 13:07
    Sebastiaan Janssen
    0

    I'll relay Shannon's answer to me about this, we haven't figured this out together yet:

    I'll try to explain - this is Authentication (AuthN) vs Authorization (AuthZ)

    In Umbraco, there are specific request paths that are authenticated for the back office and the rest are authenticated as the front-end. This is how it is possible to have both Members and Users working at the same time. Some paths are considered back office and as such, we will execute the AuthN process for the back office (i.e. cookie authentication for the back office). If the AuthN succeeds the User (Principal) is assigned to the HttpContext. If the request is not for the back office, it will run the AuthN for the front (i.e. cookie authentication for the front-end members).If the AuthN succeeds the User (Principal) is assigned to the HttpContext.

    How a back office request is determined is based on one method UmbracoRequestPaths.IsBackOfficeRequest (in v8 this is a little different).

    In both v8 and v9, we need a way to register a non-standard back office request as a back office request. Alternatively, things that need to be Authenticated as a back office request, should be routed as such.

    You can change the route to be a back office route. Most things in /umbraco/* are considered as such. There are a few exceptions like surface controllers and api controllers that are front-end controllers but are also routed under the /umbraco route (which is why we have the [IsBackOffice] attribute. You can have a look at the IsBackOfficeRequest method and tests to see what is a back office request.

    We actually have documentation for this: https://our.umbraco.com/documentation/Reference/Routing/Authorized/

    I tried simply updating the /hangfire route to /umbraco/hangfire but no luck with that. Something "extra" needs to happen and I didn't have the time to work on that yet.

  • Marc Goodson 1626 posts 10769 karma points MVP 6x c-trib
    Jun 14, 2021 @ 19:01
    Marc Goodson
    0

    Hi Seb

    Did you try routing via

    /umbraco/backoffice/hangfire

    ???

    I think it's anything routed via /umbraco/backoffice that is denoted as a backoffice request...

    regards

    marc

  • Sebastiaan Janssen 4966 posts 14967 karma points MVP admin hq
    Jun 14, 2021 @ 19:37
    Sebastiaan Janssen
    0

    Ah, great suggestion, but no luck! My InPrivate window does not ask for any auth! 😅

  • David Armitage 479 posts 2008 karma points
    Jun 14, 2021 @ 12:31
    David Armitage
    0

    Still working on this. I need to figure out how to compose this without injecting it in to see if that will work.

    Anyone any ideas how to compose something without dependency injection using Umbraco 9?

    Like we used to do for 8 inside custom classes or razor views.

  • Gareth Wright 32 posts 100 karma points c-trib
    Jul 02, 2021 @ 14:01
    Gareth Wright
    0

    Is there any update on how this could work?

  • Gunnar Már Óttarsson 10 posts 43 karma points
    Aug 15, 2021 @ 02:59
    Gunnar Már Óttarsson
    0

    Possibly related issue is determining if a backoffice user is logged in from a razor view.

    User.GetUmbracoIdentity() is always null probably since we haven't Authenticated.

    AuthenticationService.AuthenticateAsync doesn't work since the cookie manager stops the flow if it's not a backoffice route.

    Seems pretty impossible right now

  • Grégory Viaene 1 post 73 karma points c-trib
    Sep 29, 2021 @ 09:17
    Grégory Viaene
    1

    Hi,

    Just found a way to restrict access to Hangfire for Members or to Backoffice Users

    To restrict access to Umbraco BackOffice Users, it only works if the hangfire url starts with /umbraco/backoffice/. Did not find a way to make it works with only /hangfire

    Here are the gists

    Umbraco9 & Hangfire with Member access https://gist.github.com/An0d/46d2e5d5fab229f744669c4676adc07b

    Umbraco9 & Hangfire with BackOffice User access https://gist.github.com/An0d/497766f14b452b278c8f4dfa3ac74c16

    For BackOffice Users access I used the BackOfficeAccess Authorization policy provided by Umbraco but you could also define your own policy to add multiple criterias ;-)

    Hope it helps

  • Sebastiaan Janssen 4966 posts 14967 karma points MVP admin hq
    Sep 30, 2021 @ 08:36
    Sebastiaan Janssen
    1

    Think you've found the same thing I did! 👍

    https://cultiv.nl/blog/setting-up-hangfire-in-umbraco-9/

    It's also an Umbraco package now so no need to write the plumbing code: https://our.umbraco.com/packages/developer-tools/cultivhangfire/

    Ah, I didn't notice the member access, that could be useful for some!

  • Marc Goodson 1626 posts 10769 karma points MVP 6x c-trib
    Oct 01, 2021 @ 17:03
    Marc Goodson
    0

    ooh, So my hunch was right?

  • Sebastiaan Janssen 4966 posts 14967 karma points MVP admin hq
    Oct 02, 2021 @ 08:40
    Sebastiaan Janssen
    0

    @Marc yeah looks like we can't secure arbitrary routes they need to be in the /umbraco route (whatever your route is for the backoffice.. and I just remembered that I shouldn't hardcode that, since the route is configurable).

    Please do note that Grégory's code opens the dashboard up to anyone with backoffice access, I am specifically limiting it to backoffice users with access to the Settings section of Umbraco.

Please Sign in or register to post replies

Write your reply to:

Draft