Fix: AllowAnonymous attribute on Action is ignored when UmbracoMemberAuthorize is set on Controller

An0d · An0d · commit e6413aad0a3a · 2021-09-17T11:22:09.000+02:00
Ref: #11125
diff --git a/src/Umbraco.Web.Common/Filters/UmbracoMemberAuthorizeFilter.cs b/src/Umbraco.Web.Common/Filters/UmbracoMemberAuthorizeFilter.cs
@@ -1,6 +1,10 @@
 using System.Collections.Generic;
 using System.Threading.Tasks;
+
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc.Authorization;
 using Microsoft.AspNetCore.Mvc.Filters;
 using Microsoft.Extensions.DependencyInjection;
 using Umbraco.Cms.Core.Security;
@@ -42,6 +46,12 @@ public  UmbracoMemberAuthorizeFilter(string allowType, string allowGroup, string
 
         public async Task OnAuthorizationAsync(AuthorizationFilterContext context)
         {
+            // Allow Anonymous skips all authorization
+            if (HasAllowAnonymous(context))
+            {
+                return;
+            }
+
             IMemberManager memberManager = context.HttpContext.RequestServices.GetRequiredService<IMemberManager>();
 
             if (!await IsAuthorizedAsync(memberManager))
@@ -51,6 +61,32 @@ public async Task OnAuthorizationAsync(AuthorizationFilterContext context)
             }
         }
 
+        /// <summary>
+        /// Copied from https://github.com/dotnet/aspnetcore/blob/main/src/Mvc/Mvc.Core/src/Authorization/AuthorizeFilter.cs
+        /// </summary>
+        private bool HasAllowAnonymous(AuthorizationFilterContext context)
+        {
+            var filters = context.Filters;
+            for (var i = 0; i < filters.Count; i++)
+            {
+                if (filters[i] is IAllowAnonymousFilter)
+                {
+                    return true;
+                }
+            }
+
+            // When doing endpoint routing, MVC does not add AllowAnonymousFilters for AllowAnonymousAttributes that
+            // were discovered on controllers and actions. To maintain compat with 2.x,
+            // we'll check for the presence of IAllowAnonymous in endpoint metadata.
+            var endpoint = context.HttpContext.GetEndpoint();
+            if (endpoint?.Metadata?.GetMetadata<IAllowAnonymous>() != null)
+            {
+                return true;
+            }
+
+            return false;
+        }
+
         private async Task<bool> IsAuthorizedAsync(IMemberManager memberManager)
         {
             if (AllowMembers.IsNullOrWhiteSpace())
