Vulnerability in EPiServer.Forms
I'm building a searching page, where could find all document including pdf, word, excel ... now it's working well, however some folders are just accessible by some particular users/groups, so all documents under these folders should not be shown in the search result.
Now, we are post-processing the result list, and check permission of parent folder, if current user doesn't have permisson to read that folder, the result should be removed from list. However the paging is not working properly, because total result is wrong, and number of displaying item on each page is not consistent. We are changing the implementation to build a custom filter, to check parent folder permission, and just get relevant item from EPi find, we don't know how to do that with EPi Find client, anyone please help to solve that problem
For filtering on access rights there is an extension method for that
.For("Possibly secret stuff")
.Filter(x => x.RolesWithReadAccess().Match("Everyone"))
Thanks @Daniel for your quick answer, however it's checking for current item, what I'm looking for is checking parent folder permission, not current item
Then I would either make sure the current items actually have those access rights. Since they are normally inherited that should be easy but maybe you have some reason why you are not using that?
Otherwise I would create a new separate field on the indexed file for that logic and filter on that.
Hi Daniel, actually the search page is working for File searching, including PDF and Word document file, so we have to base on folder permisson instead of File permission
Ok, don't know how you store the files but in normal Episerver solutions you can set access rights on the files as well from the file manager and then use Find to filter them. Then you get out of the box support for that.
Hi Daniel, in my current website, we are setting access rights on folder level, not on an individual file, because there are a lot of file in the existing site.
That's good. But if you set them on the folder they will also be inherited to the file itself. So the expression above should work if I'm not missing anything here...
Hi Daniel, I tried to set permission on the folder, and checked the permission on EPi Find, it worked well for folder, however the permission for all files belong to that folder didn't change on EpiFind
Try reindex the file either by publishing it again or run the job. Then you can check access rights of the file first in Episerver and then in Episerver find index browser. Should be inherited in both.