Vulnerability in EPiServer.Forms
Hi ! I'm a novise to EPiServer, and I'm trying to restrict access to a part of our web to logged on users. It should work so that when you try to access a page or its siblings, you are directed to the login dialog.
I know the basics on how to enable a login dialog, but I believe I have not succeeded in specifying a path for this restricted area (from my web.config):
<location path="No/Projects/Thenet/Thenet-closed"> <system.web> <authorization> <allow users="netusr" /> <allow roles="MyServer\WebEditors, MyServer\WebAdmins, Administrators" /> <deny users="*" /> </authorization> </system.web> </location>
...its this path="No/Projects/Thenet/Thenet-closed" that I assume I can't get right. It's the page url, but you guessed that, I believe).
Any hints would be helpful !
The point is not hiding the page tree, but ensure only logged in users (specified by <allow users="netusr" /> & <allow roles="MyServer\WebEditors, MyServer\WebAdmins, Administrators" /> in my example) gain access.
Also, that whenever you try to access a proteted page, the login dialog pops up.
Thanks for your kind suggestions - but how it should work is:
- when someone tries to access a page on a protected branch, the login dialog pops up. For protecting edit/admin modes, this is done with entries in web.config. It's specified that EPiServer uses the ASP.NET model for access control, so I believe I should seek for a solution there rather than modifying the routine for building menus.
I used web.config to specify that users need to be logged on to access our intranet. I just can't figure out how to specify the actual path in web.config to achieve same kind of behaviour you get with episerver when accessing edit mode...
Any ideas on how to specify the path in this line, when the path is simply an EPiServer "page path" (the first "No" indicates "Norwegian"):
I'm not sure the location method will work for episerver pages, because of the FURL, but I might be wrong. For the edit/admin mode it works because the URL is not rewritten by the FURL. Perhaps you can add a location for your templates, but this will not serve your purposes since a templates location isn't strictly tied to where it's used in the page hierarchy.
Still, I don't understand why you can't use the EPiServer access rights to restrict access (=require login) for a branch of the page tree. That is exactly what they are for. Just remove the access rights for the Everyone role on the "Thenet-closed" branch and the login will appear if a user tries to access these pages.
OK, now I get it. Thank you very much !
Er, well, not that simple(quoting): "Just remove the access rights for the Everyone role on the "Thenet-closed" branch and the login will appear if a user tries to access these pages." . . does the logon pop up if I get to display the page tree/menus also including restricted pages ? Also - I need a different loginbox for this part of the web (different than WebEditor login). How can I achieve that if not in web.config ?
The source of my problems was that I interpreted what was said - that EPiServer 5.x uses ASP.NET authentication instead of a native mechanism. Well, it does for some kinds of pages, only not for the regular ones. It would be nice if someone had written that, too. I'm trying to learn both EPiServer and ASP.NET at the same time, and I really have a hard time knowing what is going on where...
I might be wrong - there might be a way to do this with locations.
The login appears when there is a call to get a page from the EPiServer page store (I don't know exactly at what level, so read this critically) causing a violation of access rights. It is possible to make calls ignoring access rights, which is what for example the PageList control will do if you tell it to. In the control templates you can then act on the PageData objects you get (display a property from the page for example) without causing violations. When a page is requested (link clicked etc) however, the access rights will be becked, and the login will appear if the current user does not have sufficient access rights.
You can change the login page, but AFAIK there is no way to have several different login pages out of the box. If you really need it, you should be able to build a login page which displays differently depending on the requested URL.
Okay, thank you very much !
I'll have to coose between two models, then: Either create an explicit login page acting as a starting point for what's protected, or modify the page selection routine.
Guess I'll be going for the first one, as this may also solve the login box appearance & text issue (either by supplying a custom css or by creating a new page template derived from login.aspx).
Thanks again !