Vulnerability in EPiServer.Forms
We discovered a bug/breaking change today, if a visitor/editor doesn't have access on the root page, the following occurs:
In edit mode: The page tree will fail to load
In edit and public mode: The MenuList control will throw access denied exceptions, but not on every page. I haven't been able to figure out why the MenuList works on one page, and fails on another though.
This is a different behaviour compared to CMS 6, where Everyone doesn't require access on the root page. The only thing that fails in CMS6 is when an editor selects the root page in the page tree (Access denied). But the tree is loaded, and MenuLIst works just fine.
This is not really an issue, but could cause confusion if you upgrade from CMS6 to CMS7, the only thing required is to give Everyone read access on the root page. So I would suggest that this gets fixed in the upcoming patch.
Submit a bug report just in case :-)