This is obviously not ideal, but I'm working with a situation where, rather than building out a whole Angular UI for a backoffice custom page, we're looking into just using an existing .net core set of controller/view/model code to render a custom page. This page should only be accessible to users who are authenticated in backoffice, but since there's no way to 'inject' a standard model/view/controller action into the backoffice UI, we're thinking we just put it on the frontend, but in the action verify that the user is logged in and has the proper Group in the backend. In Umbraco 9, I see references to people doing things like this: https://our.umbraco.com/forum/umbraco-9/106857-how-do-i-determine-if-a-backoffice-user-is-logged-in-from-a-razor-view#comment-334423 They seem to be manually checking the cookies. I believe you'd have to be on a route of /umbraco/backoffice/* in order to see those? Not sure. In any case, the question is: To do the above, what changes in Umbraco 13? https://github.com/umbraco-community/Our-Umbraco-TagHelpers/blob/dee84a4726e3db60b77fb0187a76f8ec0c86e003/Our.Umbraco.TagHelpers/Services/BackofficeUserAccessor.cs There's even a Tag Helper written for Umbraco 9 that does almost what I want (I want to gate the entire Action, not just a part of it), I just need to understand what's different for 13, or if there's a better way to do this.

@Chris Bass this might help - we're doing something similar in the https://www.nuget.org/packages/Bento.Editor package: https://github.com/KOBENDigital/bento.editor/blob/v13/main/src/Bento.Core/Controllers/BentoApiController.cs the following attributes lock the controller down so it can only be accessed if logged into the backoffice:

[IsBackOffice]
[UmbracoUserTimeoutFilter]
[Authorize(Policy = AuthorizationPolicies.BackOfficeAccess)]
[DisableBrowserCache]
[UmbracoRequireHttps]
[MiddlewareFilter(typeof(UnhandledExceptionLoggerFilter))]

I see. So looking through https://docs.umbraco.com/umbraco-cms/v/13.latest-lts/implementation/controllers#surface-controllers and https://docs.umbraco.com/umbraco-cms/v/13.latest-lts/reference/routing/umbraco-api-controllers#backoffice-controllers is a little confusing to me, but both seem to imply that that 'IsBackOffice' and Authorize logic only work if your route is /umbraco/backoffice/{whatever} - Is that the sort of route you used for your API? If it works just like that, that's a relief, and good enough for my needs.

correct, the urls come out as: https://your-site.com/umbraco/backoffice/Bento/LoadEmbeddedContent?contentid=1163 so you should be in business 😉 the trick/hack was using the

IVirtualPageController

so we could do a custom route: https://docs.umbraco.com/umbraco-cms/reference/routing/custom-routes#custom-route-with-ivirtualpagecontroller our work around for the

FindContent

part is:

public IPublishedContent FindContent(ActionExecutingContext actionExecutingContext)
{
    //todo: this isn't ideal... but the controller needs to find a piece of content otherwise it won't find a route
    var context = _umbracoContextAccessor.GetRequiredUmbracoContext();
    return context.Content?.GetAtRoot().FirstOrDefault();
}

as you can see from the comment, we're relying on the fact there'll be at least one piece of content in the content tree... but in all instances for us there will be!

I see, so you're just getting the base document so that FindContent is satisfied - you're not actually using the root document in your code, right?

correct - it's a hack but it does work 😉