Vulnerability in EPiServer.Forms

Try our conversational search powered by Generative AI!

CatalogContentProvider does not respect IPrincipalAccessor name change


For some automatic tasks, we would like to know, that the content has been recently modified by the task rather than by an editor user.

To achive this in CMS content one can use IPrincipalAccessor and this works for PageData.
However it does not work for Catalog content (EntryContentBase), and after saving the content, it still uses name of last user.

Package versions:
EPiServer.Framework 12.13.1
EPiServer.CMS 12.17.1
EPiServer.Commerce 14.10.0

Consider following code:

private readonly IContentRepository _contentRepository;
private readonly IPrincipalAccessor _principalAccessor;
private readonly ReferenceConverter _referenceConverter;

// injection omitted for brevity 

_principalAccessor.Principal = new GenericPrincipal
    new GenericIdentity("AutomaticTask"),
    new[] { Roles.Administrators }

var pageReference = new ContentReference(1414);
var productReference = _referenceConverter.GetContentLink("Product2_1");

var page = _contentRepository.Get<StandardPage>(pageReference); // StandardPage inherits PageData
var product = _contentRepository.Get<FancyProduct>(productReference); // FancyProduct inherits ProductContent

var writablePage = page.CreateWritableClone() as StandardPage;
writablePage.MainBody = new (DateTime.UtcNow.Ticks.ToString());
_contentRepository.Save(writablePage, SaveAction.Publish, AccessLevel.NoAccess);

var writableProduct = product.CreateWritableClone() as FancyProduct;
writableProduct.MainBody = new (DateTime.UtcNow.Ticks.ToString());
_contentRepository.Save(writableProduct, SaveAction.Publish, AccessLevel.NoAccess);

Before running the code, after content has been created by editor:

And after running the code:

Mar 17, 2023 15:58

After a little deeper dive into the code, it seems that following happens:

DefaultContentProvider executes:

ContentReference contentReference = this._contentProviderDatabase.Save(content, action, this._principalAccessor.CurrentName());

where CatalogContentProvider executes:

ContentReference contentReference = this._catalogContentCommitterHandler.Save(content as CatalogContentBase, action, PrincipalInfo.CurrentPrincipal.Identity.Name);
Mar 17, 2023 16:28

Hi Karol

Try adding this to your code. I believe this is what you want.

writableProduct.ChangedBy = "AutomaticTask";

There is also an content.CreatedBy property, for jobs that create the initial/first version of the content.

Mar 19, 2023 18:03

It seems to be this bug COM-16450 - i.e. it's known but was not fixed on 14.x

Mar 20, 2023 8:58

Hi Stefan,

It works, but partially :) 
If the product is updated with the ChangedBy modification, then it stays with the same value even if editor changed that product.
Probably due to the bug that Quan mentioned.

Mar 20, 2023 9:24
Stefan Holm Olsen - Mar 20, 2023 9:35
Then you could write to support and mention the bug number from Quan’s reply. So they can prioritize it. That usually helps.
Karol Berezicki - Mar 20, 2023 9:36
Will do, thanks for suggestion :)

FWIW I ping-ed the commerce development team again. they fixed the issues on 13.x and planned to port the fix to 14.x. not sure why that hasn't happened

Mar 20, 2023 10:24
Stefan Holm Olsen - Mar 20, 2023 10:43
Hope the team will fix the usage of PrincipalInfo from static extension methods, too. They are really hard to intercept and replace.
This topic was created over six months ago and has been resolved. If you have a similar question, please create a new topic and refer to this one.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.