Adds the C# Auth Policy bits to protect the API to only users who hav…

…e the permission

ExaminePeek/Auth/HasUmbracoPermissionHandler.cs

@@ -0,0 +1,37 @@
+using Microsoft.AspNetCore.Authorization;
+using Umbraco.Cms.Core;
+using Umbraco.Cms.Core.Security.Authorization;
+using Umbraco.Cms.Core.Services;
+using Umbraco.Extensions;
+
+namespace ExaminePeek.Auth
+{
+	public class HasUmbracoPermissionHandler : AuthorizationHandler<HasUmbracoPermissionRequirement>
+	{
+		private readonly IAuthorizationHelper _authorizationHelper;
+		private readonly IUserService _userService;
+
+		public HasUmbracoPermissionHandler(IAuthorizationHelper authorizationHelper, IUserService userService)
+		{
+			_authorizationHelper = authorizationHelper;
+			_userService = userService;
+		}
+
+		protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, HasUmbracoPermissionRequirement requirement)
+		{
+			var umbracoUser = _authorizationHelper.GetUmbracoUser(context.User);
+			umbracoUser.
+			var permissions = umbracoUser.GetPermissions(Constants.System.RootString, _userService);
+			var hasPermission = permissions.Contains(requirement.Permission);
+
+			if (hasPermission)
+			{
+				context.Succeed(requirement);
+				return Task.CompletedTask;
+			}
+
+			context.Fail();
+			return Task.CompletedTask;
+		}
+	}
+}

ExaminePeek/Auth/HasUmbracoPermissionRequirement.cs

@@ -0,0 +1,10 @@
+using Microsoft.AspNetCore.Authorization;
+
+namespace ExaminePeek.Auth
+{
+	public class HasUmbracoPermissionRequirement : IAuthorizationRequirement
+	{
+		public HasUmbracoPermissionRequirement(string permission) => Permission = permission;
+		public string Permission { get; }
+	}
+}

ExaminePeek/Composers/ExaminePeekComposer.cs

@@ -1,8 +1,13 @@
-using Microsoft.Extensions.DependencyInjection;
+using ExaminePeek.Auth;
+using ExaminePeek.Extensions;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.Extensions.DependencyInjection;
 using Microsoft.OpenApi.Models;
+using OpenIddict.Validation.AspNetCore;
 using Swashbuckle.AspNetCore.SwaggerGen;
 using System.Reflection;
 using Umbraco.Cms.Api.Management.OpenApi;
+using Umbraco.Cms.Api.Management.Security.Authorization.UserGroup;
 using Umbraco.Cms.Core.Composing;
 using Umbraco.Cms.Core.DependencyInjection;
 
@@ -40,6 +45,16 @@ public void Compose(IUmbracoBuilder builder)
 					opt.IncludeXmlComments(xmlPath);
 				}
 			});
+
+			builder.Services.AddSingleton<IAuthorizationHandler, HasUmbracoPermissionHandler>();
+			builder.Services.Configure<AuthorizationOptions>(opt =>
+			{	
+				opt.AddPolicy("HasExaminePeekPermission", policyBuilder =>
+				{
+					policyBuilder.AuthenticationSchemes.Add(OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme);
+					policyBuilder.RequireUmbracoPermission("ExaminePeek.Enabled");
+				});
+			});
 		}
 
 		// PR: https://github.com/umbraco/Umbraco-CMS/pull/15699

ExaminePeek/Controllers/ExaminePeekControllerBase.cs

@@ -1,14 +1,13 @@
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using Umbraco.Cms.Api.Common.Attributes;
-using Umbraco.Cms.Web.Common.Authorization;
 using Umbraco.Cms.Web.Common.Routing;
 
 namespace ExaminePeek.Controllers
 {
 	[ApiController]
 	[BackOfficeRoute("examinepeek/api/v{version:apiVersion}")]
-	[Authorize(Policy = AuthorizationPolicies.SectionAccessContent)]
+	[Authorize(Policy = "HasExaminePeekPermission")]
 	[MapToApi("ExaminePeek")]
 	public class ExaminePeekControllerBase : ControllerBase
 	{

ExaminePeek/Extensions/PolicyBuilderExtensions.cs

@@ -0,0 +1,13 @@
+using ExaminePeek.Auth;
+using Microsoft.AspNetCore.Authorization;
+
+namespace ExaminePeek.Extensions
+{
+	public static class PolicyBuilderExtensions
+	{
+		public static void RequireUmbracoPermission(this AuthorizationPolicyBuilder builder, string permission)
+		{
+			builder.Requirements.Add(new HasUmbracoPermissionRequirement(permission));
+		}
+	}
+}