From 0d718a5ca2b3084e6decddcbfefdb5222c33654c Mon Sep 17 00:00:00 2001
From: sbwalker <shaun.walker@siliqon.com>
Date: Wed, 13 Dec 2023 18:25:21 -0500
Subject: [PATCH] ignore Blazor framework requests

---
 .../Infrastructure/Middleware/TenantMiddleware.cs      |  3 +--
 Oqtane.Server/Security/PrincipalValidator.cs           | 10 ++++++----
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/Oqtane.Server/Infrastructure/Middleware/TenantMiddleware.cs b/Oqtane.Server/Infrastructure/Middleware/TenantMiddleware.cs
index 3addfb01..dd9e97dd 100644
--- a/Oqtane.Server/Infrastructure/Middleware/TenantMiddleware.cs
+++ b/Oqtane.Server/Infrastructure/Middleware/TenantMiddleware.cs
@@ -23,8 +23,7 @@ namespace Oqtane.Infrastructure
             var config = context.RequestServices.GetService(typeof(IConfigManager)) as IConfigManager;
             string path = context.Request.Path.ToString();
 
-
-            if (config.IsInstalled() && !path.StartsWith("/_blazor"))
+            if (config.IsInstalled() && !path.StartsWith("/_")) // ignore Blazor framework requests
             {
                 // get alias (note that this also sets SiteState.Alias)
                 var tenantManager = context.RequestServices.GetService(typeof(ITenantManager)) as ITenantManager;
diff --git a/Oqtane.Server/Security/PrincipalValidator.cs b/Oqtane.Server/Security/PrincipalValidator.cs
index a2c31ef9..269fbc5b 100644
--- a/Oqtane.Server/Security/PrincipalValidator.cs
+++ b/Oqtane.Server/Security/PrincipalValidator.cs
@@ -8,6 +8,7 @@ using Oqtane.Models;
 using System.Collections.Generic;
 using Oqtane.Extensions;
 using Oqtane.Shared;
+using System.IO;
 
 namespace Oqtane.Security
 {
@@ -17,9 +18,11 @@ namespace Oqtane.Security
         {
             if (context != null && context.Principal.Identity.IsAuthenticated && context.Principal.Identity.Name != null)
             {
-                // check if framework is installed
                 var config = context.HttpContext.RequestServices.GetService(typeof(IConfigManager)) as IConfigManager;
-                if (config.IsInstalled())
+                string path = context.Request.Path.ToString().ToLower();
+
+                // check if framework is installed
+                if (config.IsInstalled() && !path.StartsWith("/_")) // ignore Blazor framework requests
                 {
                     // get current site
                     var alias = context.HttpContext.GetAlias();
@@ -28,12 +31,11 @@ namespace Oqtane.Security
                         var claims = context.Principal.Claims;
 
                         // check if principal has roles and matches current site
-                        if (!claims.Any(item => item.Type == ClaimTypes.Role) || claims.Any(item => item.Type == "sitekey" && item.Value != alias.SiteKey))
+                        if (!claims.Any(item => item.Type == ClaimTypes.Role) || !claims.Any(item => item.Type == "sitekey" && item.Value == alias.SiteKey))
                         {
                             var userRepository = context.HttpContext.RequestServices.GetService(typeof(IUserRepository)) as IUserRepository;
                             var userRoleRepository = context.HttpContext.RequestServices.GetService(typeof(IUserRoleRepository)) as IUserRoleRepository;
                             var _logger = context.HttpContext.RequestServices.GetService(typeof(ILogManager)) as ILogManager;
-                            string path = context.Request.Path.ToString().ToLower();
 
                             User user = userRepository.GetUser(context.Principal.Identity.Name);
                             if (user != null)