Vulnerability in EPiServer.Forms

Try our conversational search powered by Generative AI!

Bug / breaking change: Everyone must have read access on root page


We discovered a bug/breaking change today, if a visitor/editor doesn't have access on the root page, the following occurs:

In edit mode: The page tree will fail to load

In edit and public mode: The MenuList control will throw access denied exceptions, but not on every page. I haven't been able to figure out why the MenuList works on one page, and fails on another though.

This is a different behaviour compared to CMS 6, where Everyone doesn't require access on the root page. The only thing that fails in CMS6 is when an editor selects the root page in the page tree (Access denied). But the tree is loaded, and MenuLIst works just fine.

This is not really an issue, but could cause confusion if you upgrade from CMS6 to CMS7, the only thing required is to give Everyone read access on the root page. So I would suggest that this gets fixed in the upcoming patch.

May 31, 2013 14:04

Submit a bug report just in case :-)

Jun 05, 2013 11:13
This thread is locked and should be used for reference only. Please use the Episerver CMS 7 and earlier versions forum to open new discussions.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.