From 7f2d2b30f85a0dca961ba62066c10d4c916e6d8c Mon Sep 17 00:00:00 2001
From: Shannon <sdeminick@gmail.com>
Date: Sat, 25 Sep 2021 00:10:42 -0600
Subject: [PATCH] Fixes #11189

---
 .../Security/ConfigureMemberCookieOptions.cs      | 15 +++++++++++++++
 .../Routing/PublicAccessRequestHandler.cs         | 15 +++++++++++++++
 2 files changed, 30 insertions(+)

diff --git a/src/Umbraco.Web.Common/Security/ConfigureMemberCookieOptions.cs b/src/Umbraco.Web.Common/Security/ConfigureMemberCookieOptions.cs
index ba5f0621b9f4..c4649611d3b0 100644
--- a/src/Umbraco.Web.Common/Security/ConfigureMemberCookieOptions.cs
+++ b/src/Umbraco.Web.Common/Security/ConfigureMemberCookieOptions.cs
@@ -1,8 +1,10 @@
+using System.Threading.Tasks;
 using Microsoft.AspNetCore.Authentication.Cookies;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.Extensions.Options;
 using Umbraco.Cms.Core.Routing;
 using Umbraco.Cms.Core.Services;
+using Umbraco.Extensions;
 
 namespace Umbraco.Cms.Web.Common.Security
 {
@@ -34,6 +36,19 @@ public void Configure(CookieAuthenticationOptions options)
             options.LogoutPath = null;
 
             options.CookieManager = new MemberCookieManager(_runtimeState, _umbracoRequestPaths);
+
+            options.Events = new CookieAuthenticationEvents
+            {
+                OnSignedIn = ctx =>
+                {
+                    // occurs when sign in is successful and after the ticket is written to the outbound cookie
+
+                    // When we are signed in with the cookie, assign the principal to the current HttpContext
+                    ctx.HttpContext.SetPrincipalForRequest(ctx.Principal);
+
+                    return Task.CompletedTask;
+                }
+            };
         }
     }
 }
diff --git a/src/Umbraco.Web.Website/Routing/PublicAccessRequestHandler.cs b/src/Umbraco.Web.Website/Routing/PublicAccessRequestHandler.cs
index 88bb6622bd61..2d5deef62403 100644
--- a/src/Umbraco.Web.Website/Routing/PublicAccessRequestHandler.cs
+++ b/src/Umbraco.Web.Website/Routing/PublicAccessRequestHandler.cs
@@ -1,6 +1,8 @@
 using System;
 using System.Threading.Tasks;
+using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Identity;
 using Microsoft.Extensions.Logging;
 using Umbraco.Cms.Core;
 using Umbraco.Cms.Core.Models;
@@ -65,6 +67,19 @@ public async Task<UmbracoRouteValues> RewriteForPublishedContentAccessAsync(Http
                 {
                     _logger.LogDebug("EnsurePublishedContentAccess: Page is protected, check for access");
 
+                    // manually authenticate the request
+                    AuthenticateResult authResult = await httpContext.AuthenticateAsync(IdentityConstants.ApplicationScheme);
+                    if (authResult.Succeeded)
+                    {
+                        // set the user to the auth result. we need to do this here because this occurs
+                        // before the authentication middleware.
+                        // NOTE: It would be possible to just pass the authResult to the HasMemberAccessToContentAsync method
+                        // instead of relying directly on the user assigned to the http context, and then the auth middleware
+                        // will run anyways and assign the user. Perhaps that is a little cleaner, but would require more code
+                        // changes right now, and really it's not any different in the end result.
+                        httpContext.User = authResult.Principal;
+                    }
+
                     publicAccessStatus = await _publicAccessChecker.HasMemberAccessToContentAsync(publishedContent.Id);
                     switch (publicAccessStatus)
                     {