Vulnerability in EPiServer.Forms
We are importing an existing user base to our new episerver project. The legacy cms had a salt value per user row, so I created a custom application user and introduced teh additional property of Salt value.
All is implemented fine, but I am having some problems with the above class, the abstract CreateUser method defines a fixed number of arguments, so I cant add my new salt value method. One work around I had thought of was to perform an update immediately after creation with the salt value, not ideal but it would work. However, I would like the admin users to still be able to use the create user facility in the backend and this will only make use of createuser method with no salt value.
Is there a way to replace the create user method globally, or alter the admin ui create user function to also perform the additional update?
This may be able to help: https://www.dcaric.com/blog/how-to-intercept-the-user-provider-in-episerver-10
hi David, fantastic! Thats exactly what I needed, thank you :)
Thats great news! If you find it useful can you mark as answered so other members of the community can benefit from the answer :)?
What i did in the end was completely intercept the createuser call only and implemented the extra field. To be able to do that you need to set the return value of the intercept and you will need an instance of the application user manager. Currently I have implemented identity as per the alloy example, so its not instantiated through DI, in which case I got my instance of applicatioin user manager by injecting the httpcontext and passing an instance of the OwinContext to create an instance of application user manager (typed to my user).
If you have a multi user type (in terms of class, not role) then you might want to specify the type of UiUserProvider when declaring the intercept, for my example we only have the one type of user class so this wasnt necessary.
Thanks for sharing your experience Adam! Happy inercepting :)