Vulnerability in EPiServer.Forms
Hi, we have a page which has its access rights set to only be viewed by certain users. This works fine and other users cannot access it. The problem is the page's hyperlink still appears in the navigation menu. I wish this link to not appear for users without the rights to view it and to appear for authorised users. When an unauthorised user clicks the link it just throws out an error.
Could someone show me how to disable the menu item for non authorised users and show it for authorised users.
You might need to check the code that is rendering the menu. By default an item should not be visible when you do not have access or when you set the property for "do not show in menus" on the settingstab. If this is not working the code might need to be rewritten so that it works with settings made by editors. For instance you can use a filter in episerver "FilterForVisitors" when setting the datasource to your menu or you can use an ordinary episerver web contol that will handle thar for you.
Like Eric says. If you use EPiServer usercontrols, they will do this for you.
Otherwise you will need to use filters like:
var pagesToFilter = GetPages(); //Gets a PageDataCollection with pages to show in menu... var filteredPages = EPiServer.Filters.FilterForVisitor.Filter(pagesToFilter);
If you are using List<PageData> or similar you might want to create your own extensions to do this in a nice way with linq instead. Check out FilterAccess and FilterPublish in that case to get yourself in the right direction.
Hi, Really sorry but where is the code that renders the navigation?
Render links from a PageDataCollection can be done by using a repeater in aspx, an episerver usercontrol that you can read about here or a simple foreach loop in codefront.
Example of repeater would look similar to:
code behind: (bind pagedatacollection to repeater)rptLinks.DataSource = filteredPages;rptLinks.DataBind();
code front: (render links)<asp:Repeater runat="server" ID="rptLinks"> <ItemTemplate> <li><a href="<%#Eval("LinkURL") %>"><%#Eval("PageName")%></a></li> </ItemTemplate></asp:Repeater>I would suggest adding html encoding to the pagename part as well as the next improvement :)
ahh okay, we do not actually hold a development licence on the content management system so we are unable to edit the actual code. We are using episerver cms 5.5. All the editing that is being done is in the gui (editor mode), do you have any ideas on how to get it to work in editor mode or any alternatives to using a navigation menu? Many Thanks!
Nope, you will need a developer to fix this. Sorry.