Vulnerability in EPiServer.Forms
I have gone through the community api documentation and have a question around the groups microservice.
My query is in relation to utilising Groups to restrict content (in this case forums/sub forums) based on users groups. I can’t see documentation supporting this using community api groups. I could look into Identity roles and restrict based on roles but it feels Groups can almost do it, I just need some direction.
I have managed to utilise the Comments microservice to create a forum similar to episerver world so far.
As an example
Lets say you have a forum with the following sub forums:
I have a member called “Joe Bloggs”
I would like to associated each sub forum as a Group and then specify Joe Bloggs as a member of lets says Episerver Cms which means he isn’t a member of commerce or find and thus cannot get access to that sub forum (content).
Any help would be apperciated. Thanks
This is an interesting use case. One possibility would be to extend the comments to include the ID (or IDs) of the groups to which they are associated. This would make the comments' relationship to a particular group readily accessible to your code.
Then interpreting what a user was authorized to see would just be a matter of validating whether or not they were a member of the specified groups. To actively check that you might use the validation options available on the Member API. Alternatively, a more efficient approach might be to retrieve the list of groups of which a user is a member when they login and leverage that as a claim for what they can access.
(The Groups family of services includes a notion of an "association", which is intended to related content to Groups in the way that "members" relate people to groups. That said, I think extending comments instead may result in a less complicated/chatty implementation.)
Apologies if I've misinterpretted your question. I'm happy to clarify where ever I can.
Thanks for the reply.
Most my investigation has been around your second approach, but happy to look into your suggestion. The reason why I looked towards your second approach (assiciating content with groups, members with groups) is because the way I am thinking of building the forum using Comments is creating a content page for each sub forum, attaching Comments against that as initial forum topics/post and restricting responses against the initial comments so using the api can build up forum threads.
Unless architecturally there is a better way?
Agreed -- a content page for each sub forum is a good way to go. So, depending on how you prefer to approach it, a couple of options come to mind.
My gut feeling is that the first option is likely the best fit. If feels like it carries less complexity than the second, assuming it meets your need.
Ok, just to make sure we're thinking the same thing.
When creating the sub forum (content page) we also set the corresponding group, I am guessing through a selection factory or something similar. We set users members data (using community api) to what groups they're in and then when authenticatitng we only display though content pages (sub forums) based on the groups the content pages are in vs. the groups the members are in.
Yes, exactly. Assuming that fits with your requirements of course. :)