Vulnerability in EPiServer.Forms

Try our conversational search powered by Generative AI!

Per Nergård
Sep 20, 2010
(0 votes)

Manipulate user / group option in search user / group dialogs

I recently needed to block the user / group option in the membership dialogs to only have the group option.

I guess that it’s not a very common scenario but maybe it will be helpful to someone so here we go.

The search user / group dialog in edit mode is called MembershipBrowser.aspx and is located in the \Application\UI\Edit folder.

In admin mode the dialog is called SearchUsers.aspx in is located in \Application\UI\Edit folder.

To default the dropdowns and disable it was easy enough with some javascript.

Just add the code just before the last closing </asp:content> tag. Setting the selected dropdown to 1 means group and 0 users.

To get this to work in EPiServer you either make the changes directly in the files but that’s not recomended because they can be overwritten with a sp or so.

A better (but not great) way is to make copies of the files and add them your project and then use virtualpathmappings to redirect EPiServer to the new copies.


   1: <script type="text/javascript">
   2:         var dd = document.getElementById('<%=DropDownSecurityEntity.ClientID%>');
   3:         dd.options[1].selected = true;
   4:         dd.disabled = true;
   5:     </script>



   1: <script type="text/javascript">
   2:     var dd = document.getElementById('<%=GroupSelection.ClientID%>');
   3:     dd.options[1].selected = true;
   4:     dd.disabled = true;
   5:     </script>
Sep 20, 2010


Sep 21, 2010 09:53 AM

I think that it is a best practise to use the VirtualPathMappedProvider to "replace" files in EPiServer CMS Edit Mode and Admin Mode.

Is the only bad reason, when using VirtualPathMappedProvider to replace things in the CMS, the fact that you create copies of the CMS files or are there any other drawbacks?

Sep 21, 2010 11:11 AM

No other drawbacks than that you make copies of the original files.

Sep 21, 2010 11:15 PM

Well, either way you do it you'll have to know about the changes done to the CMS files when you add a SP or upgrade, so it should not matter, but if you use VirtualPathMappedProvider you would likely have added your customized files to your project that usually store the sourcecode in a versioning system plus that you would be able ot see the files that have been replaced when you take a look in Episerver.config.

Please login to comment.
Latest blogs
Join the Work Smarter Webinar: Working with the Power of Configured Commerce (B2B) Customer Segmentation December 7th

Join this webinar and learn about customer segmentation – how to best utilize it, how to use personalization to differentiate segmentation and how...

Karen McDougall | Dec 1, 2023

Getting Started with Optimizely SaaS Core and Next.js Integration: Creating Content Pages

The blog post discusses the creation of additional page types with Next.js and Optimizely SaaS Core. It provides a step-by-step guide on how to...

Francisco Quintanilla | Dec 1, 2023 | Syndicated blog

Stop Managing Humans in Your CMS

Too many times, a content management system becomes a people management system. Meaning, an organization uses the CMS to manage all the information...

Deane Barker | Nov 30, 2023

A day in the life of an Optimizely Developer - Optimizely CMS 12: The advantages and considerations when exploring an upgrade

GRAHAM CARR - LEAD .NET DEVELOPER, 28 Nov 2023 In 2022, Optimizely released CMS 12 as part of its ongoing evolution of the platform to help provide...

Graham Carr | Nov 28, 2023