Vulnerability in EPiServer.Forms
How can I prevent page from being changed when I save and publish it programmatically?
Basically, I would like to prevent that ChangedBy and Changed are changed when I add items to a specific content area programmatically.
Thx a lot!
Does the ForceCurrentVersion flag update those values?
Not sure, let me give it a try
I have to use ForceCurrentVersion with Publish, otherwise the page doesn't get published at all. This does change the username, but I'll give it some more debugging to make sure I've tried out everything.
If the page is not already published, and you need to do that, perhaps you could try manually setting the properties for Status, perhaps check IsPendingPublished and also StartPublish. ForceCurrentVersion will not clear the cache, so you'll probably need to do that as well.
Hey, Per, thx a lot for your help, this combination worked: SaveAction.CheckIn | SaveAction.ForceCurrentVersion:
contentRepo.Save(clone, SaveAction.CheckIn | SaveAction.ForceCurrentVersion, AccessLevel.NoAccess);
I've added the following blog post on the subject: http://www.mogul.com/en/about-mogul/blog/saveactionsave-saveactionforcecurrentversion-doesnt-change-changed-but-does-touch-changedby
thanks for sharing that! There might be a way around the "ChangedBy" though. Have you tried something like this?
var clone = somePage.CreateWritableClone();
// create a temporary principal with the same name as the current "changedBy" value
PrincipalInfo.CurrentPrincipal = new GenericPrincipal(new GenericIdentity(somePage.ChangedBy),null);
// modfiy stuff
clone.PageName = "My new name";
// .. and save
contentRepository.Save(clone, SaveAction.Publish, AccessLevel.NoAccess);
I have thought about it, but it looked dirty. Then I would need to reset back the current principal. Then in future, if someone else gets hold of the code and wraps the actual principal in an if statement, here go the website autorization, everybody gets manager's access rights :D Paranoid or realistic?
Maybe a little bit of both? :-)I guess it's not the safest bit of code, but if done right it I wouldn't be too worried. Well.. Until someone else gets hold of the code as you say. This blogpost shows a rather clean way of temporary using another principal. Use at own risk I suppose
I've seen the blogpost, didn't cross my mind that I could use it for my thing ;)
Thx for a nice discussion!