Try our conversational search powered by Generative AI!

FilterOnReadAccess() broken due to changes in VirtualRoleRepository (Episerver please fix it)



Episerver Find extension method ContentSearchExtensions.FilterOnReadAccess is broken. It no longer returns any results for anonymous users.

The issue happens with the latest nugets:
EPiServer.CMS.Core 9.8.1

It seems that the issue is caused by changes in EPiServer.Security.VirtualRoleRepository, which has method VirtualRoleRepository.GetDefault() for obtaining an instance. The method is now deprecated and no longer works as it should, but the latest Find nuget uses it. The fix is to use IoC to obtain the instance.

    // Class: EPiServer.Find.Cms.ContentSearchExtensions
    private static IEnumerable GetCurrentUsersRoles()
      List list = Enumerable.ToList((IEnumerable) PrincipalInfo.Current.RoleList);
      // This seems to cause the issue. GetDefault method is deprecated and returns the wrong instance
      VirtualRoleRepository @default = VirtualRoleRepository.GetDefault();
      // !!! Should use IoC. This retrieves the correct instance
      //VirtualRoleRepository @default = ServiceLocator.Current.GetInstance();
      foreach (string name in @default.GetAllRoles())
        VirtualRoleProviderBase virtualRoleProvider;
        if (@default.TryGetRole(name, out virtualRoleProvider) && virtualRoleProvider.IsInVirtualRole(PrincipalInfo.CurrentPrincipal, (object) null))
      if (Roles.Enabled)
        list.AddRange((IEnumerable) Roles.GetRolesForUser(PrincipalInfo.Current.Name));
      return Enumerable.Distinct((IEnumerable) list);

The latest CMS patch is not rollbackable due to DB changes, and I would really like to avoid making own workaround extensions for Find. So, could you release a fix as soon as possible, please :)

Apr 21, 2016 1:24

Looks like EPiServer.GoogleAnalytics is also affected, and likely all older code that uses virtual roles. Perhaps the easiest fix is to make VirtualRoleRepository<VirtualRoleProviderBase>.GetDefault() backwards compatible?

Edit: Episerver support had already received a bug report about the issue: This is an issue which has been reported already and a bug has been created: FIND-973 After upgrading cms.core to 9.8.0 .FilterOnReadAccess() and .FilterForVisitor() stops working for anonymous users

Edited, Apr 21, 2016 2:30


Any update on this? Got the same problem for one customer. 

/ Henric

Apr 26, 2016 8:29

Can't seem to find it in their buglist: 

"The bug you were looking for – FIND-973 – doesn’t exist"

Apr 27, 2016 13:19

I asked the support if they knew anything. 

"The developers haven't started to investigate this bug yet. The bug is in 'Triage' which means that the process hasn't started yet."

/ Henric

Edited, Apr 27, 2016 13:26

The bug has been fixed and is currently in test for verification. If everything goes as planned it should be included in next release of EPiServer.CMS.Core

May 02, 2016 17:31

Great news! But when are you planning the next release of EPiServer.CMS.Core? 

/ Henric

May 03, 2016 7:55

Hopefully at the end of this week (friday) or early next week

May 03, 2016 8:43

Same here, little bit of panic here, please fix this rapidly!

May 05, 2016 9:15

I see now there is a new release out!

May 10, 2016 7:23

Is the fix included in this update?

May 10, 2016 10:54

The fix is included in EPiServer.CMS.Core 9.9.0

May 10, 2016 10:56
This topic was created over six months ago and has been resolved. If you have a similar question, please create a new topic and refer to this one.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.