Vulnerability in EPiServer.Forms
This seems like a pretty basic piece of functionality, but we're having trouble tracking down what is causing it. Any insight is appreciated.
Some of our pages allow images to be inserted. The editor uploads the images to the media folder, then drops them onto the page.
If a user visits the site and is logged in, the page shows up and the images show correctly. If the user is not logged in, the image shows up as a broken link. Going to the image URL in that case prompts for a log in. If the user logs in, the image is displayed correctly.
The image URL is generally /globalassets/some-media-path/filename.jpg.
I checked in the admin area, and the Global Assets folder permissions are set to allow Everyone read access, and it is set to propogate to all child items, so those seem correct. That is the same as what is set on the pages in general, and the pages all show up without login, it is just the uploaded files that are prompting.
The blob provider is backed by S3, but I've tested using the default (file based) blob store as well, with identical results.
Any ideas why attempting to open an /globalassets/ url would prompt for a login?
Thanks in advance!
We´ve had this issue before and it had to do with editors not having publish rights in a folder. When they uploaded the image it was successfully uploaded, but not published (hence users where prompted to login to access it). Is the image published?
Thank you so much! This put us on the right track. Yes, we were expecting the media file to be publishing automatically. The users who upload the media do have permissions to publish it, but what we didn't realize is that the media types have some required metadata fields (alt text on images, for example), and those not being populated cause the auto-publishing to not happen.
By editing the media files and supplying the required metadata fields and then publishing, the /globalassets/ links work as expected for unauthenticated users.
Thank you again!
I have similar problem like you have. I import images from InRiver and can access them when I'm logged in, but as anonyomus user I will be redirected to login-page. As I can see they are published but cant get them to show up as anonyomus user. I publish them manually but with the same issue. Someone else with this problem?
Hi, I have this issue. vofflan
Images now are loading... any idea?
The problem for us was that there were a defaultvalue set in the table [tblContentType] in db. I cant remeber the exact value but something like "DefaultMediaPreview..". Im not sure the exact columname but something like "Defaultdisplayview". We removed the values in the field and then it started to work for us.
Good to know, It that occurs again I'll tell you if that solve the issue.
Can also add I ran into the same problem, and we removed from tblContentType and inserted NULL instead (CTRL+0)
"EPiServer.Cms.Shell.UI.Controllers.Preview.DefaultMediaPreviewController, EPiServer.Cms.Shell.UI, Version=220.127.116.11, Culture=neutral, PublicKeyToken=8fe83dea738b45b7"
From the line of the Default Image Controller