Vulnerability in EPiServer.Forms
How do I ensure a unified search correctly applies the querying users security context to the search results?
From the find documentation, the exmple shows filtering a single page type results to only pages that have the 'everyone' group with 'read' access.
With a unified search, I need to:
Appologies if this information has already been documented, if it has, I cannot find it!
When using UnifiedSearch all IContent and UnifiedFiles will be filtered by default on user/roles with read access (based on the current user placing the request). This can be turned off by passing false to the 'GetResult'-method:
UnifiedSearchQuery.GetResult(filterForPublicSearch: false);'filterForPublicSearch' also filters all IConent so that only content published in the current language is returned.
I have just run a test and can see this works a you described.
One question - In the test scenario I have just run, I had a document first in a public folder which I then moved into a deeper private folder in the vpp.
The document did not get re-indexed when I performed the move (cut and paste). This meant that the file still showed up in public searches (with the wrong url) untill I did a re-index scheduled job.
The issue is easily solved by running a re-index, however would you expect the file to have been re-indexed by performing the move?
I'm experiencing some issues with UnifiedSearch after upgrading to the latest CMS version 7.17 and Find version 188.8.131.524. The user i'm testing with has full rights to the site and the search yields 0 results if the Everyone group is removed from the root and the content is indexed after the removal. After adding it and reindexing the search is giving results again. Other searches are working just fine such as SearchClient.Instance.Search<SomePage>().For(q).
An Update to the issue I'm facing,
There is a bug which is affecting versions between 7.13.3 - 7.17 not sure which one for sure. The bug has been created, but not sure about when it's going to be public - no: 119768.
The UnifiedSearch fails to recognise rights given to an SqlMembership user via SqlRole.
If a user: unfiedUser belongs to a group: sitePublishers, which has been given from Read to Administer rights to the whole page he will not retrieve any results from the UnifiedSearch. This does not affect WindowsRole and membership providers.
Workaround for this issue at the moment is to give direct rights to the sql user instead of the group the user belongs to.
It would be awesome if the info that Henrik posted could be added to the docs