Fix broken CookieAuthenticationRedirect caused by PR #14036 for non-api requests

[mwillebrands]

Details

With Pull Request #14036 a fix has been introduced which makes sure that instances of the UmbracoApiController return a 403 and 401 instead of redirecting to the AccessDeniedPath which is configured in the CookieAuthenticationOptions. This feature works, however as a side effect, instances of SurfaceController are also affected by this, and they don't redirect anymore to the AccessDeniedPath, which in my opinion is still wanted functionality.

I've altered the UmbracoMemberAuthorizeFilter so it always returns a ForbidResult as that's the only result that is explicitly handled by the CookieAuthenticationHandler and this makes sure the functionality is the same as before the changes in #14036 except for the UmbracoApiController. The default redirect behaviour can still be overridden in the CookieAuthenticationOptions.

Test

You can use the same test cases as in the original Pull Request, however do a test case with an UmbracoAPIController and a SurfaceController.

Expected Results

ApiController
Not logged in should return a 401 status code
Not authorized should return a 403 status code

Surfacecontroller
Not logged in should return a redirect to the AccessDeniedPath that is configured in the CookieAuthenticationOptions
Not authorized should return a redirect to the AccessDeniedPath that is configured in the CookieAuthenticationOptions

[github-actions]

Hi there @mwillebrands, thank you for this contribution! 👍

While we wait for one of the Core Collaborators team to have a look at your work, we wanted to let you know about that we have a checklist for some of the things we will consider during review:

• It's clear what problem this is solving, there's a connected issue or a description of what the changes do and how to test them
• The automated tests all pass (see "Checks" tab on this PR)
• The level of security for this contribution is the same or improved
• The level of performance for this contribution is the same or improved
• Avoids creating breaking changes; note that behavioral changes might also be perceived as breaking
• If this is a new feature, Umbraco HQ provided guidance on the implementation beforehand
• 💡 The contribution looks original and the contributor is presumably allowed to share it

Don't worry if you got something wrong. We like to think of a pull request as the start of a conversation, we're happy to provide guidance on improving your contribution.

If you realize that you might want to make some changes then you can do that by adding new commits to the branch you created for this work and pushing new commits. They should then automatically show up as updates to this pull request.

Thanks, from your friendly Umbraco GitHub bot 🤖 🙂

[emmagarland]

Hi @mwillebrands!

Thanks for your PR to handle the surfacecontroller redirect to Access Denied.

One of the Core Collaborators team will review this as soon as possible. However, in the meantime I am going to raise it internally just to check the desired behaviour of the redirect for a surface controller.

Best wishes and someone will be in touch soon,

Emma

[emmagarland]

Hi @mwillebrands,

Just to update this one, I have confirmed with HQ that the behaviour you describe sounds like a suitable fix.

Someone from the core collaborators team will review it and hopefully merge it as soon as we can!

Emma

[mwillebrands]

Amazing, thank you very much

[mwillebrands]

@emmagarland, I've created some integration tests for this scenario as well. Would you like these pushed into this PR as a seperate commit?

[emmagarland]

Hi @mwillebrands

That would be ideal, thank you!

Emma

[elit0451]

I've tested the changes and they work as intended, thanks for the fix @mwillebrands 🙌

[nul800sebastiaan]

Cherry picked for v10/11 in 3f196a9