Vulnerability in EPiServer.Forms
I have a situation where I would like to meet the following requirements:
Right now the menus works just great by fetching the pages with GetChildren method. Also if I setup the ACL for a page to only allow authenticated user, it works fine and redirects the user to a login form (via the webconfig settings). However, the problem occurs when the user needs to meet additional criteria to access a page, e.g. needs to belong to a certain group of users in the database. I have developed custom role and memberhsip providers and tried to restrict a page (via the ACL) to not only authenticated users, but they must also have a specific role.But then when a user with lack of proper access tries to access this page, he is only presented with an ugly access denied exception. Where and how is the best way to handle this exception? I would like to try-catch it and then compare what access is missing, and redirect the user to different pages, depending on the result. Of course it works by just checking this manually in every such page type, but that is just ugly!
Any ideas on how to tackle this?
You have to check access rights to the page yourself:
bool canRead = page.GetSecurityDescriptor().HasAccess(PrincipalInfo.CurrentPrincipal, AccessLevel.Read);So you'll have to get the page with AccessLevel.NoAccess first and then perform the access check on the CurrentPrincipal.
See this blogpost:http://labs.episerver.com/en/Blogs/Enes-Bajramovic/Dates/2008/10/SecurityDescriptor-for-access-rights-checking/
Thank you, very nice blog post there.
So correct me if I'm wrong; I can simply implement the ISecurityDescriptor and perform my own additional security checks, then for every page which needs this extra features, I just perform the access check on the CurrentPrincipal? Sounds good. Where in the page cycle needs this check to be performed, to prevent EPiServer and the AccessDenied exception to be first!
And by the way, in those implemented methods of the IsecurityDescriptor, can I do whatever I want if user lacks access, like redirecting and so on, without messing up anything else? Would be nice to not have all redirect/error code bloated on every page.
Big thanks /Martin
Edit: Miss-read the article at first, now I understand that I need to inherit from PageData to override the GetSecurityDescriptor() method.