Nullcheck user in Content permission handlers (#17846)

Migaroez · web-flow · commit c96dc7eaa139 · 2025-01-07T14:52:40.000+01:00
diff --git a/src/Umbraco.Web.BackOffice/Authorization/ContentPermissionsQueryStringHandler.cs b/src/Umbraco.Web.BackOffice/Authorization/ContentPermissionsQueryStringHandler.cs
@@ -5,6 +5,7 @@
 using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.Primitives;
 using Umbraco.Cms.Core.Models;
+using Umbraco.Cms.Core.Models.Membership;
 using Umbraco.Cms.Core.Security;
 using Umbraco.Cms.Core.Services;
 
@@ -60,9 +61,15 @@ protected override Task<bool> IsAuthorized(AuthorizationHandlerContext context,
             nodeId = requirement.NodeId.Value;
         }
 
+        IUser? currentUser = BackOfficeSecurityAccessor.BackOfficeSecurity?.CurrentUser;
+        if (currentUser is null)
+        {
+            return Task.FromResult(false);
+        }
+
         ContentPermissions.ContentAccess permissionResult = _contentPermissions.CheckPermissions(
             nodeId,
-            BackOfficeSecurityAccessor.BackOfficeSecurity?.CurrentUser,
+            currentUser,
             out IContent? contentItem,
             new[] { requirement.PermissionToCheck });
 
diff --git a/src/Umbraco.Web.BackOffice/Authorization/ContentPermissionsResourceHandler.cs b/src/Umbraco.Web.BackOffice/Authorization/ContentPermissionsResourceHandler.cs
@@ -3,6 +3,7 @@
 
 using Microsoft.AspNetCore.Authorization;
 using Umbraco.Cms.Core.Models;
+using Umbraco.Cms.Core.Models.Membership;
 using Umbraco.Cms.Core.Security;
 
 namespace Umbraco.Cms.Web.BackOffice.Authorization;
@@ -34,15 +35,21 @@ public ContentPermissionsResourceHandler(
     protected override Task<bool> IsAuthorized(AuthorizationHandlerContext context,
         ContentPermissionsResourceRequirement requirement, ContentPermissionsResource resource)
     {
+        IUser? currentUser = _backOfficeSecurityAccessor.BackOfficeSecurity?.CurrentUser;
+        if (currentUser is null)
+        {
+            return Task.FromResult(false);
+        }
+
         ContentPermissions.ContentAccess permissionResult = resource.NodeId.HasValue
             ? _contentPermissions.CheckPermissions(
                 resource.NodeId.Value,
-                _backOfficeSecurityAccessor.BackOfficeSecurity?.CurrentUser,
+                currentUser,
                 out IContent? _,
                 resource.PermissionsToCheck)
             : _contentPermissions.CheckPermissions(
                 resource.Content,
-                _backOfficeSecurityAccessor.BackOfficeSecurity?.CurrentUser,
+                currentUser,
                 resource.PermissionsToCheck);
 
         return Task.FromResult(permissionResult != ContentPermissions.ContentAccess.Denied);
