Try our conversational search powered by Generative AI!

Access restriction failed when unauthorized user directly access URL in commerce manager


I feel its a bug in the episerver ecommerce security module.
Issue : when a unauthorized user logs into episerver ecommerce and directly browses any URL in commerce except BFO views he is able to view them without any restriction.

Example scenario to replicate the problem :

1. Create a role "Report viewer" with only login and view to reporting tab
2.Create a user "XYZ" in commerce and assign "Report viewer" role.
3. Login as "XYZ" as per the given permission he is able to see "Reporting tab"
4. It is fine upto here. But if we browse "Catalog batch update" link URL (Catalog management > Catalog batch update) with out any restriction he is able to view it. (Example url : http://localhost:61000/Apps/Shell/Pages/default.aspx#right=http%253A%2F%2Flocalhost%253A61000%2FApps%2FShell%2FPages%2FContentFrame.aspx%253F_a%253DCatalog%252526_v%253DCatalogBatchUpdate-List)

This is the issue. Because the role doesn't have even view permission to Catalog management.

I have verified the "CatalogBatchUpdate-List.xml" where we specify <ViewConfig> tag along with its permission attribute
<setAttributes id="CatalogBatchUpdate-List" name="{CatalogStrings:Catalog_Catalog_Batch_Update}" controlUrl="catalog/CatalogBatchUpdate.ascx" permissions="catalog:ctlg:entries:mng:edit" help="Catalog+Management"></setAttributes>
Please note that it is already having "permissions="catalog:ctlg:entries:mng:edit"" attribute, but the restriction is not applied while loading.

I found the same issue with other links also like all the links and product urls under catalog management , links under Order management tab... etc.

Note that the view level security only applied to the BFOs. all the other links are not restricted when browsed directly Especially Catalog management and Order management links (important).

A straight forward question is "Where is the security in Episerver Ecommerce" ? It is a bug or am i missing any other configurations ? should any thing to be configured to apply the restriction? Please let me know

Thanks in advance,

Jul 01, 2014 7:55


Which version you are using? I'm trying this on latest nuget package (which should be same as 7.5 as we haven't made changes to this area since), and it works as intended - I got this messge, which is correct:

Access Denied

Your account does not have rights to access this feature of the commerce manager. Please contact your system administrator for more information. 


Jul 03, 2014 10:48

Hi Quan Mai

Thanks for reply, I am using Episerver 7. Please validate the same scenario in Episerver 7 also. It is not working in Episerver 7 version.



Jul 07, 2014 6:10


I can confirm that this bug happens on Commerce R3. However, as this bug appears to be fixed in 7.5, we recommend to upgrade to EPiServer Commerce 7.5 - which included new features and other bug fixes.

My appologies for initial response. We recommend to upgrade instead.



Edited, Jul 07, 2014 6:39
This topic was created over six months ago and has been resolved. If you have a similar question, please create a new topic and refer to this one.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.