Vulnerability in EPiServer.Forms
We've implemented the sample workflows and have been testing the sequential approval workflow. As part of this workflow, EPiServer sends emails to users, when they have been assigned the task of approving a content change, or when the result of that approval (Yes or No) has been decided.
The problem we're having is that the from address of the email is always the same as the recipient. This is causing Outlook to view the email as spam and put it in the Junk folder.
Also, in the text of the email itself, it says the task is "Assigned to" the correct user, but then also says that it was "Assigned by" the same user.
Has anyone else experienced this issue or can anyone suggest a solution? This is starting to become a real problem for us.
Sorry about the repeated posts - I received some errors so retried a couple of times.
Anyway, I believe the problem is that EPiServer is not setting the Owner property of the Task object correctly. I think it is setting it to be the same as the AssignedTo property.
Can anyone confirm this, and if so is there a fix?
Right, I've done some more digging. Looks like the task is being created via the CreateTask activity. The properties of CreateTask are very similar to the Task class itself, however CreateTask does not have an Owner property. As a result approval tasks are being created with the wrong owner. If you check the OwnerName field in the database you can see it ends up the same as the AssignedToName field.
There should be a way to set the Owner of the task but I can't find it. Any ideas anyone?
I have reported this as a bug in our tracking system.
What you can do to work around this for now is to set up an eventhandler for Task.StatusChanged
In the eventhandler you can get hold of the task as source and on the task check that WorkflowInstanceId is not Guid.Empty then you know that the task is workflow related). You can then change Owner property to something else than AssignTo.
The event is raised after the task is saved to db but before email is sent so in db it will still be stored with AssignTo=Owner but the email will have a different from address.