Vulnerability in EPiServer.Forms
I'm developing various submenu controls and a sitemap control. We have a specific requirement of needing to display all subpages of some toplevel pages, totally ignoring with the subpage in question needs an authenticated user or not. As I have come to understand, the DataFactory.Instance.GetChildren doesn't allow us to do this.
Want I have done is to use FindAllPagesWithCriteria, but I have do I create a criteria which filter on only published and only visible in menu? Right now I'm using something like this:
PropertyCriteria oCrit = new PropertyCriteria(); oCrit.Condition = EPiServer.Filters.CompareCondition.GreaterThan; oCrit.Name = "PageStartPublish"; oCrit.Value = DateTime.Parse("1/1/1900").ToString(); oCrit.Type = PropertyDataType.Date;
And then I'm using this with the FindAllPagesWithCriteria(..) method and then applying the episerver filter classes to apply other filters. And in some cases I have do even additional filtering to only have parents etc. So it feels like very much unnecessary looping and fooling around with the collection before I can get want I want. There must be some other way, do you guys know any better solution?
And lastly, it seems that I cannot use episerver controls like PageTree or PageList as these controls uses the GetChildren method. For now I am using nested Repeaters by some recursion in the OnItemBound event. Sure, it does work, but there must be more efficient ways..?
I'm using version 5.2.375.7.
Hm yes, you are right, I must have mixed something up. GetChildren really does get all children even if current user has insuffcient access to it.
However when using this PageDataCollection as a DataSource for the EPiServer PageList control I'm doing this:
PageDataCollection pages = DataFactory.Instance.GetChildren(page.PageLink, LanguageSelector.AutoDetect(true)); pageList.DataSource = pages; pageList.DataBind();
In this PageDataCollection there are some pages that requires the user to be authenticated, i.e. I have set access level in admin mode for that page to Read for "Authenticated", and removed the read flag for "Everyone".
What do I set the pageList.RequiredLevel to, in order to achieve this? I've tried some these property values, without success, I think none of them really makes sense in this scenario.
Big thanks for your reply (and pardon my english in the last post, was in biig hurry :))!
Of course I can just go with an ordinary asp:Repeater then it all works fine, but I would be nice to get this to work according to the ACL of the page, which I apparantly is not a 100% sure of how to get use of.
If you guys don't mind I also have a follow up question. When the user clicks on a link to where he doesn't not have access (needs to be logged in), I can redirect him to the login page via the webconfig property
<forms name="EPiServerLogin" loginUrl="~/Templates/Public/Pages/Login.aspx" timeout="120" />
But when using this, all page properties etc seems to get lost when redirecting to this "static url" so I looks kind of wierd, how may I get around this?
Again, thanks for any help!
I am not sure I understand the issue correctly. If you want some pages to be hidden from anonymous users, do just as you described (removing read access for Everyone and add it for Authenticated), and then set the RequiredAccessLevel to AccessLevel.Read (which is the default, so you don't need to set it). Then these pages should only show up for authenticated users.
Edit: Now I think I understand. If you want all pages to show up anyway, use AccessLevel.NoAccess. Then it's up to your template to treat the pages (e.g. don't display links to pages that the user doesn't have read access to).
Yes exactly, you understand me correctly now.
I've tried NoAccess but that doesn't seem to work. The link is not visible when user is not logged (no read access) but appears when logged in (has read access). :/
Yes that's correct, I'm am using an approach with a nested asp.net Repeater and GetChildren(), works pretty well. Don't wanna use the EPiServer PageTree due the to html table generation.
I'm curious though, an EPiServer PageList with RequiredAccess set to NoAccess, is that supposed to "turn off" the access filter that EPiServer list controls applies? It still seems to filter on Read access if I try use this approach..
Yes, using RequiredAccess=NoAccess with an EPiServer PageList will include pages that the user normally not have access to.
I just did a quick test using EPiServer R2 SP2 to confirm that this is the case.