Vulnerability in EPiServer.Forms
We're having problems with users in the WebEditors group not being able to edit any content. If I've understood it correctly, this is a built-in group so all you need to do is to add the group and you don't have to specify any access rights.
The authorization code is in the web.config, and we also tried to explicitly set the access rights without luck. We compared the web.config and the eipserverframework.config with another EPi 7 site on the same server, and the values are identical. It works for the other site, but not this one.
Are there any other settings we've missed out?
On the site where webeditors groups can't edit, what are the membership and role providers used?
WebEditors is a built-in group, but it only grants access to the edit interface (allows you to enter Edit Mode), it doesn't actually give any specific access to edit content.The reason for this is that a site typically has editors of different levels, who are each allowed to edit parts of the site but not necessarily all of it.
Go to Admin Mode > Set Access Rights and check if the WebEditors group has any specific access rights for either the Startpage or subpages. Also check if access rights may be inherited from further up the tree (e.g. the Root).
Actually, it is bad practice to give the built-in WebEditors group rights to edit your content. It should be used only for granting general access to edit mode.
You should create additional editor groups who DO have the rights to edit/modify/publish content.So in summary, your editors should be members of WebEditors + at least one other group.
(The same principle applies to the built-in WebAdmins group.)
Thank you Arild for your answer and suggestion. We created an additional editor group and it works fine!
We use MultiplexingRoleProvider and MultiplexingMembershipProvider as our default providers.