Vulnerability in EPiServer.Forms
Problem: When my customer sets a page to expired and that page has files in the pagefiles folder an access error occours:
You are not authorized to access /PageFiles/26664/file.png
IClient client = SearchClient.Instance;
FilesResult result = client.Search<UnifiedFile>() .FilterOnReadAccess() .For(query) .Skip(skip) .Take(take) .GetFilesResult();
Find not taking care of expired pages automaticly? Is there anything i could do in the search or could i somehow catch an "expired event" and remove the page/pagefiles from the index?
Refering to Access Rights in Find Documentation:
The search engine doesn’t implement any access rights filtering for documents (pages, files etc). If you add FilterForVisitor() to your query, you should be fine. FilterForVisitor includes ExcludeDelete, PublishedInCurrentLanguage, and FilterOnReadAccess.
FilterForVisitor isnt availble on GetFileResult, and .Filter(x => x.RolesWithReadAccess().Match("Everyone")) doesnt make any diffrence either if i dont set bypassAccessCheck to true on pagefiles.
For now bypassAccessCheck set to true works, but i think there should be some way to use GetFileResult with pagefiles without having to enable bypassAccessCheck...
What EPiServer version is this?