Vulnerability in EPiServer.Forms
We have currently a setup where we allow users to preview a page without it being published with all its assets that are stored in ContentAssetFolder.
The issue is currently that we can do a preview, but only if we access to the EPiServer CMS UI as an editor.
So I have a million Monopoly dollar question:
How can we grant access to the users that are authorized access to the page, but shouldn't have access to the EPiServer CMS UI?
I assume you are using MVC. If so then you can register a filter provider that removes the access check for certain request (that is done by AuthorizeContentAttribute). You can see an example in ProjectFilterProvider in https://world.episerver.com/blogs/Mark-Hall/Dates/2016/11/anonymous-project-preview/
Thanks Johan, will try and get back with the result. ;)
There is also a Nuget package which does this for you: https://nuget.episerver.com/package/?id=eGandalf.Epi.PagePreview
Project site: https://github.com/egandalf/eGandalf.Epi.PagePreview