Björn Olsson
Oct 11, 2011
(2 votes)

Virtual role validation behavior changed in EPiServer CMS6 R2

I recently upgraded a site to R2, and noticed that one of the custom virtual roles stopped working properly (The access rights in the edit page tree looked messed up). After some quick logging, I discovered that each virtual role only was validated once, when I expanded a node in the page tree. This would usually not be an issue for a virtual role, but in my case, the virtual role is based on each specific PageData object. This basically means, that the first child page in the node being loaded, would decide which access the user have for every following child page. This works as expected in R1 however (by default). I thought this was a bug in R2, so I created a support-ticket, at the same time, it also crossed my mind that this could be a performance enhancement. I got my answer a few days later, it’s a performance enhancement. But this can easily be overridden (if needed):

public class MyVirtualRole : EPiServer.Security.VirtualRoleProviderBase
    public override void Initialize(string name, System.Collections.Specialized.NameValueCollection config)
        base.Initialize(name, config);

        this.EnableIsInRoleCache = false;

    public override bool IsInVirtualRole(System.Security.Principal.IPrincipal principal, object context)
        EPiServer.Security.PageAccessControlList acl = context as EPiServer.Security.PageAccessControlList;

        if (acl != null)
            PageData page = EPiServer.DataFactory.Instance.GetPage(acl.PageLink);
            return page.PageName.Equals("Test", StringComparison.InvariantCultureIgnoreCase);

        return false;

This virtual role basically checks if the given page is named “Test”. But it won’t work as expected if EnableIsInRoleCache is set to true, which is default. This is, as I mentioned a performance enhancement, so don’t disable the cache unless needed, basically only if you are validating against the PageData object (or ACL) as this example, I can’t think of another scenario as I’m typing this.

And I’m out!

Oct 11, 2011


Please login to comment.
Latest blogs
Zombie Properties want to Eat Your Brains

It’s a story as old as time. You work hard to build a great site. You have all the right properties – with descriptive names – that the content...

Joe Mayberry | Mar 29, 2023 | Syndicated blog

Optimizely finally releases new and improved list properties!

For years, the Generic PropertyList has been widely used, despite it being unsupported. Today a better option is released!

Tomas Hensrud Gulla | Mar 28, 2023 | Syndicated blog

Official List property support

Introduction Until now users were able to store list properties in three ways: Store simple types (int, string, DateTime, double) as native...

Bartosz Sekula | Mar 28, 2023

New dashboard implemented in CMS UI 12.18.0

As part of the CMS UI 12.18.0 release , a new dashboard has been added as a ‘one stop shop’ to enable editors to access all of their content items,...

Matthew Slim | Mar 28, 2023

How to Merge Anonymous Carts When a Customer Logs In with Optimizely Commerce 14

In e-commerce, it is common for users to browse a site anonymously, adding items to their cart without creating an account. Later, when the user...

Francisco Quintanilla | Mar 27, 2023

How to Write an xUnit Test to Verify Unique Content Type Guids in Content Management

When developing an Optimizely CMS solution, it is important to ensure that each content type has a unique GUID. If two or more content types share...

Minesh Shah (Netcel) | Mar 27, 2023