Vulnerability in EPiServer.Forms
We developed custom report using episerver gui plugin , everything works as expected, but we also want to hide "Report" tab from the CMS menu from the admin.
I removed the user from WebAdmin and Administrator permission group, so user was not able to see the admin tab after he logged in, but the "report" tab is showing under the CMS tab, I couldn't find any settings to hide this.
The only solution I found so far is to explicitly adding in the web.config to prevent user access to this page, but it looks urgly as user who doesn't have clicked on this link, it will show a popup windows with login.
Can you guys suggest a best way to handle this?
In latest EPiServer version code that regulates its availability is following:
menuItem.IsAvailable = (request => PrincipalInfo.HasEditAccess);
I guess it's the same for older versions as well.
"HasEditAccess" basically checks whether current user can go to "/episerver/cms/edit" (episerver may be replaced by your UI path). In geneal that would mean that all Editors will have access to "ReportCenter".
Thank you for your fast reply.
Where did you find that code?
I have open the EPiServer.Cms.Shell.UI package, but have no clue which file need to be modified . Can you provide some details how to change it to WebAdmin/Administrator?
It's inside class named "EPiServer.Cms.Shell.UI.CmsMenuProvider". I guess you can't really change it without modifying source code. I can image some sort of interception of the menu provider and replace it with your own, but that's extreme case.