Vulnerability in EPiServer.Forms
Has anyone experienced the following or would know how to fix it:
Under Admin > Access Rights > Administer Groups I created a new group, and added some users to it.
Under Admin > Access Rights > Set Access Rights I click on a page in the tree and wish to edit the rights for this section. I untick "Inherit settings from parent item" and then click on "Add Users/Groups" button.
In the form that pops up under Type I select Groups. I leave the Name field empty and click on Search. I am presented with some groups but the one I have created does not appear in the list.
Any idea what's going on and how to get my group to show up?
What provider does it say the group has been created with when you look in Adminster groups?
Are you using ASP.NET Identity (The OOTB standard) for CMS access?
I checked and this is working in the Alloy Demo
Hi Scott, thanks for your helpful input as usual. Under provider it says: EPi_AspNetIdentityRoleProvider (in fact this provider is under all existing groups on our site as far as i can see) is this the OOTB?
Can you check everything for asp.net identity is configured as per https://world.optimizely.com/documentation/developer-guides/CMS/security/episerver-aspnetidentity/
You should have code for it in your startup.cs file and the areas for auth and members removed. Such as
<forms name=".EPiServerLogin" loginUrl="Util/login.aspx" timeout="120" defaultUrl="~/" />
<add name="Address" type="System.String" />
<add name="ZipCode" type="System.String" />
<add name="Locality" type="System.String" />
<add name="Email" type="System.String" />
<add name="FirstName" type="System.String" />
<add name="LastName" type="System.String" />
<add name="Language" type="System.String" />
<add name="Country" type="System.String" />
<add name="Company" type="System.String" />
<add name="Title" type="System.String" />
<add name="CustomExplorerTreePanel" type="System.String" />
<add name="FileManagerFavourites" type="System.Collections.Generic.List`1[System.String]" />
<add name="EditTreeSettings" type="EPiServer.Personalization.GuiSettings, EPiServer.Cms.AspNet" />
<add name="ClientToolsActivationKey" type="System.String" />
<add name="FrameworkName" type="System.String" />
<add name="DefaultProfileProvider" type="System.Web.Providers.DefaultProfileProvider, System.Web.Providers, Version=126.96.36.199, Culture=neutral, PublicKeyToken=31bf3856ad364e35" connectionStringName="EPiServerDB" applicationName="/" />
Interestingly, my startup.cs looks completely different with many sections commented out: [removed]
Scott did I understand you correctly, is the configuration blocked you shared, supposed to be in my Startup.cs or elsewhere? I still can't get this group assignment to work unfortunately and pretty desperate here.
I don't see anything wrong with your Startup.cs code. What Scott was showing is some of what's needed in Web.config to support ASP.NET Identity, such as setting the mode in <authentication> to "None", and making sure the <membership> and <roleManager> is cleared out.
What groups do you see in the pop up? Are they just the virtual roles?
I'm seeing the following groups only:
Interestingly enough, when I edit the users, I can see under "Not member of" a list of all the groups including the new ones I have created and can add the user to these groups.
I you able to share your web.config (removing any sensitive areas).
Also can you check your solution for any references to ISynchronizedUsersRepository as this is the system that syncs users/roles and also returns results when looking in roles.
I have gone ahead and removed and renamed sensitive areas. Here is the web.config, do you see anything that could be the culprit? [removed]
Can you remove
<add name="SynchronizingProvider" type="EPiServer.Security.SynchronizingRolesSecurityEntityProvider, EPiServer" />
And try again
Wow bingo! I can now see all the groups that have been created and can assign them. Thanks so much Scott! Is this something I can safely remove from our production server? Any drawbacks to having it removed?