Vulnerability in EPiServer.Forms
I'm running a CMS 8.8 site with webforms. (yep)
I have a button which should be visible if the logged on user has AccessRight.Delete on the current page. This is implemented in code like this:
lnkDeleteButton.Visible = CurrentPage.QueryDistinctAccess(AccessLevel.Delete);
In editmode, it's set that the Creator-role should have Delete access, but the user who actually created the page does not see the deletebutton. (I have also verified that the "Last published by" is the logged on user, and hence the creator of the page)
Is there anything I'm missing with the Creator-role and the Delete access in editmode?
Sounds like it should work. Maybe set up logging with episerver.logging and log roles on user and the return value of query distinct access. You have tested the functionality with user with and without the creator role?
Also might be that you overwrite value of visible later in page life cycle. It wouldn't be the first time :)
Thanks Daniel, thats what i thought. I will investigate further :)