Vulnerability in EPiServer.Forms
We are currently working on an Optimizely website with version 12 where we use Visitor groups in order to show/hide pages,blocks, text and more.When looking deeper into what Visitor groups offers, you can see that when you are adding a visitor group to, for example, a page, you can, as a editor enable "read", "change", "delete" or publish.
Would anyone know if its possible to use these operations from a Visitor group into a page, where we have logic for external users? An example would be whether they can or not create/remove an item from a listing page.
So basically we want to map external users (with their roles) into our visitor groups and then use the options "read, write, delete, publish) to validate if they are able to view the page, delete, modify or save.
You can use visitor groups in the same way as you would use other groups/roles when setting permissions on pages. Just be sure to tick the "Make this visitor group available when setting access rights for pages and files" checkbox on the visitor groups you want to use for that purpose. You will need to ensure the users have access to the CMS in the first place though so they would still need to be logged in and for their user to be mapped to the CmsEditors virtual role.
A bit late to the party but wanted to give my thoughts in case you are still after a suitable solution.
Assuming the external users are mapped to the WebEditors role to login, in your authentication configuration code you can create a handler for the OnSignedInEvent to retrieve the external roles and add to the user's Claims collection. This will then respect the page permissons settings you have applied for your custom Visitor Groups.