Vulnerability in EPiServer.Forms
I have created a visitor group "Test" that says that profile email should contain "@myemail.com".Then I have a CMS page were I remove Eveyone and adds "Test" with Read access rights.After logging in with my Commerce user, a contact i Commerce that has a connected user with email firstname.lastname@example.org I still cannot access the page.
I guess it might have something to do that it is not a user in the CMS, but how can this be solved? Do I need to develop my own criteria?
Unless I'm mistaken, you can't use Visitor Groups as Security groups.
If what you are looking for is to gate some content on your CMS page, you could use the visitor group you created to only show your content to user that match your criteria. An example of this was explained in the following article https://www.codeart.dk/blog/2021/9/editor-hack-add-simple-password-protection-to-some-content-code-free/ where the content was gated by a form and a visitor group. But in your case, it could be replaced by your visitor group.
That is strange. When managing access rights you can select a visitor group and give the group Read access. Why can you do that if it does not work?
I did a test on the latest version of Foundation (cms12) and I was able to achieve the result you were looking for.
I create a Visitor Group and checked the option to use it for Access Rights.
Then I updated the Access Rights on my Home page to remove the Read option for all the groups and I only keep my Visitor Group (ForumVG) with read access.
Following this config, only authenticated user with the @example.com email can access the page.
Is it the CMS version you are using or are you on cms11 ?
Ok, that is good! Then the question is why it doesn't work on CMS11/Commerce13. Does anyone know?
I did a test on a CMS11 Alloy instance and I got the same results as for CMS12.
I created my Visitor Group with the same settings as for CMS12.
Then I configured the Access Rights on the Alloy Plan section to only allow the Read access to my Visitor Group (ForumVG)
Then when I access the site, I can only see and access the Alloy Plan Section with a user matching my Visitor Group criteria.
For my examples, I used CMS users. I thing this might be a difference with your setup. How to you create and configure your Commerce User ?
I think the problem is that it is a Commerce user.
Users are added in the AspNetUsers table in the Commerce database and are connected to the cls_Contact table using the UserId table and the value "String:email@example.com"
We are using this plugin to handle the Commerce users:
I'm not sure why this is used, it was implemented like 6 years ago.
From what I can see, I think you will need to create your own visitor group criteria, since the user information are not part of the CMS database (and user profile) but in the Commerce instead.
Ended up with creating our own criterias, works just fine.