Vulnerability in EPiServer.Forms
We've upgraded our CMS and now have the feature where expired pages return 404. I understand why this is so, but our editors are a little bit confused.
Before, when you we're logged in as an editor, you could "preview" an expired page by browsing to it. Of course, if you were an ordinary user you would end up on the login screen.
What is best practice when it comes to previewing pages? Should you use the preview mode inside the editor (basically clicking on the button with the box and magnifying lens)?
Which EPiServer version is this? I can confirm that in samaple alloytech expired pages are still accessible by editors..
The title in admin mode says EPiServer CMS 10.10.0.0.
Inside EPiServer's edit mode the page's displayed fined. However, if I'm logged in and click on "Show on website" I end up with a 404. The same goes for if I'm logged in and browse to the page, entering the address manually.
I've recently upgraded so maybe there's something else interferring.
Oh this case, I think it was mentioned somewhere in breaking changes..
With help from awesome fellow (Daniel Ovaska), I refreshed my memory and found that piece of code.
So, your page controller inherits from EPiServer.Web.Mvc.PageController<T>, which iherits from EPiServer.Web.Mvc.ContentController<T>, which is decorated with attribute [AuthorizeContent], which has method implementaion - OnAuthrization, which checks whether routed content could not be loaded, or content is not routable (meaning it's expired). If so and current user is not in EditOrPreview mode - you will get back HttpNotFoundResult().
If you really want to change this behavior (I mean there has to be really good reasons for EPiServer to check this functionality from older version), one of the option would be to enroll your own page controller that inherits directly from ActionControllerBase (parent of ContentController) with custom [AuthorizeContent] attribute that does not blow up with 404, but instead does your required magic.
I totally agree with you - there must be a good reason for EPiServer to make this change. Me, I don't work in edit mode as much as our editors so I guess the change is more noteable to them. It's clearly better with a 404 to the outside world. On the other hand, when you're logged in as an editor, maybe you should be able to view the page.
Unfortunately for me I'm currently maintaining a website with mixed content: Web Forms and MVC.
Edit: Regarding the breaking change, I think it's this one CMS-1320.
public class ImprovedPreviewRoutableEvaluator : IRoutableEvaluator
private readonly IContextModeResolver _contextModeResolver;
private readonly IPublishedStateAssessor _publishedStateAssessor;
public ImprovedPreviewRoutableEvaluator(IContextModeResolver contextModeResolver, IPublishedStateAssessor publishedStateAssessor)
this._contextModeResolver = contextModeResolver;
this._publishedStateAssessor = publishedStateAssessor;
public bool IsRoutable(IContent content)
var editMode = this._contextModeResolver.CurrentMode.EditOrPreview();
return editMode || content.QueryDistinctAccess(AccessLevel.Edit);
So basically don't just check if you are in edit/preview mode. Also check if you have edit access to the page and then allow to view it even if it's not currently published.Need a small change in the IRoutableEvaluator + register it in ioc container to make Episerver use it instead. Fun question! Also good example of that Episerver is getting better and better architecture since Episerver 7 that allows you to do stuff like this :)
oh, awesome - that's another way to customize this behavior. forgot about evaluator.. my memory is getting worse :))