Vulnerability in EPiServer.Forms
I created a user and added the user to CommerceSettingsAdmins group. User can login to Epi server admin but when clicking the Commerce link, user is automtically redirected to the login page as if it was logged out. But if I access /episerver/commerce/settings directly, the said user can access it. I think I'm having problems with the Url access for CommerceSettingsAdmins but do not know which part to change. Please advise.
Without trying, you probably want to add this
<authorization><allow roles="WebEditors, WebAdmins, Administrators, CommerceSettingsAdmins " /><deny users="*" /></authorization>
Hi, Thanks for the reply! I tried it but unfortunately it did not work. I tried adding the user to CatalogManagers and it was able to access the Commerce tab as well as the settings. Not sure why it redirects me to the login page though since I added user groups to "episerver/CMS/admin" and it allowed the users that belonged to that group to login.