Vulnerability in EPiServer.Forms
I don't know if I'm dumb or not, but I find no way of deleting a project I created, the options are greyed out:
Do I need to create some ProjectAdministrator-group or something?
Nope, not needed, somethings wrong, check in the F12 panel if you have any red (500) request?
The solution I'm working at, have the same problem (latest epi + commerce).
No 500 error messages here
Nope, no 500 Server errors here either. Running latest version as well. Let me pop up a pure Alloy EPi 10 latest version. To see what happens
Ok, so i've installed EPi10 and upgraded it to the exact same version. And it works there.
So I did some more digging, it actually works in my development environment, the optioned are not greyed out there. It doesn't work in any of the testing environments. Which are all hosted in the Azure Cloud and EPiServer DXC Cloud.
So I investigated any configuration differences, and made the cloud environment as close as identical as possible with debug activated and customErrors=Off and similar - But with no change, still can't delete or rename projects when the application is deployed to Azure Website.
Just for information, mine doesn't work in development or testing (haven't tested in production). Not hosted in the cloud :)
Is there any more info I can get on this one?? I can't understand in anyway why it is happening. Any logs, more info will be appriciated.
I don't have any more info regarding this right now, my plan was to install an Alloy EPi version 10 site into the Azure, but lack of time has stopped me from doing that.
I think I know whats wrong. It have something to do with the compressed JS, because if I add EPiServer.CMS.UI.Sources to the project and <clientResources debug="true" /> to the <episerver.framework> section then everything works as expected.
Can you try that Magnus?
We have the same problem: projects can be deleted in development environment with <clientResources debug="true" />, but not on production/test with minimized Episerver js. Our EPiServer.CMS.UI version is 10.4.0.
Do you have any add-ons installed? We're not able to reproduce with a clean install.
When you say "development environment", do you mean locally on your machine or hosted somewhere (Azure etc)?
We have plenty of add-ons installed: Commerce, Find, Forms, Language Manager, Google Analytics, LanguageWire etc :) Maybe others have less. I can try to remove simple add-ons like Forms, LM, GA and LW and see if it helps. Dev environment is my local machine, but I think the only difference is <clientResources debug="true" /> option.
We're using the following add-ons:
We do not have the <clientResources debug="true" /> set in our development environment, and we can edit projects locally. (IIS local server 10.0 on Windows 10)
And we do not inject the EPiServer.CMS.UI.Sources specifically either, but mayby some debug="true" flags loads them anyway.
We the following Security providers, and session-providers that support cloud:
We do use gZip compressions, static caching, and output cache in our test and production environment, but disabled in our development environment (local).
-sitemap (and for commerce)
-FontThumbnail (this was added later so this is not the culprint at least)
And probably some more I have forgot at the moment
I've managed to reproduce this now and it seems to be related to the LanguageManager addon.
Could anyone of you verify this by removing the addon and see if that helps?
Confirmed for my solution at least :)
Great to hear Sebastian! Did you remember to remove the <clientResources debug="true" /> from your config?
I added the addon back and then I couldn't delete project again ;)
Thanks! I've seen the same on two additional environments now so I think we can say that we've found what causes the issue.
I'll make sure that the team responsible for the LanguageManager addon is notified.
Thanks for the feedback everyone. It's now reported as a bug in the LanguageManager addon with id: LM-51
The fix for LM-51 was released today in update 156.