Vulnerability in EPiServer.Forms
We've created a number of custom reports that we've added to the reports part of the CMS and they are working great.
However, our users who are members of groups with only read and change permissions get redirected to a login screen when they try to access the reports. This doesn't happen with the default "Page Reports" that are included as standard ('Not published Pages', 'Changed Pages' etc...).
Is there something we need to do to set the permissions on custom reports? How can we configure this to give access to the reports to all users with access to the CMS?
Check that you have granted access to the correct groups for the actual files in location tag in Web.config. Might need to add your own group here...
<allow roles="WebAdmins, Administrators" />
<deny users="*" />
Also check your GuiPlugIn attribute on the class for reports and check access rights there.
[GuiPlugIn(Area = PlugInArea.ReportMenu,
DisplayName = "Page Types Usage Report",
Description = "Lists pages of a specific page type",
Category = "Usage Reports",
RequiredAccess = AccessLevel.Administer,
Url = "~/modules/UsageReports/PageTypeUsageReport.aspx")]
public partial class PageTypesUsageReport : WebFormsBase
For instance, the above report demands administer rights...might want to lower that...