Vulnerability in EPiServer.Forms

Try our conversational search powered by Generative AI!

Visitor groups use as CRUD Options?

Vote:
 

Hello,

We are currently working on an Optimizely website with version 12 where we use Visitor groups in order to show/hide pages,blocks, text and more.
When looking deeper into what Visitor groups offers, you can see that when you are adding a visitor group to, for example, a page, you can, as a editor enable "read",  "change", "delete" or publish.

Would anyone know if its possible to use these operations from a Visitor group into a page, where we have logic for external users? 
An example would be whether they can or not create/remove an item from a listing page.

So basically we want to map external users (with their roles) into our visitor groups and then use the options "read, write, delete, publish) to validate if they are able to view the page, delete, modify or save.

Thanks!

#292748
Edited, Dec 06, 2022 13:36
Vote:
 

You can use visitor groups in the same way as you would use other groups/roles when setting permissions on pages. Just be sure to tick the "Make this visitor group available when setting access rights for pages and files" checkbox on the visitor groups you want to use for that purpose. You will need to ensure the users have access to the CMS in the first place though so they would still need to be logged in and for their user to be mapped to the CmsEditors virtual role.

#292791
Dec 07, 2022 9:54
Alexander Helsinghof - Dec 07, 2022 15:23
Hello Paul, thank you for your response.
This scenario is only for external users with external roles.. Meaning we don't have the roles connected into Optimizely.

So for our external users I have created a custom criteria which basically checks if the user has a role that comes from another system.
If the user have that specific role we let the user see a specific page.
However, I would also like to use the "Create, Read, Save & Delete" options which comes into play when using the Visitor group.

That's why I'm curious if you could use the different CRUD operations to handle different scenarios on the website... What do you think?

Vote:
 

A bit late to the party but wanted to give my thoughts in case you are still after a suitable solution.

Assuming the external users are mapped to the WebEditors role to login, in your authentication configuration code you can create a handler for the OnSignedInEvent to retrieve the external roles and add to the user's Claims collection. This will then respect the page permissons settings you have applied for your custom Visitor Groups.

#295874
Feb 03, 2023 3:07
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.