Vulnerability in EPiServer.Forms
I have a request from our client to allow one of their employees access to run/view Reports (tab under the CMS view), but not edit the site. Is this possible?
Yes, that is indeed possible.
Often, according to my experience on client projects, Content Editors are the user with the least privilidges in the Episerver interface. In your case, that would though no longer be the case. In order to achieve this, you should:
1. Create a new role solely for access to the Episerver interface without any editing privilidges. (e.g. "WebUser").
2. Ensure users, in your "WebUsers" role, has access to your Episerver interface. It's configured, via Web.config, as part of the <authorization/> element beneath <location path="/Your-Episerver-Path/">.
3. Ensure users, in your "WebUsers" role, are not allowed to "Change", "Publish", "Create" and "Delete" for the "Root" section in "Set Access Rights".
4. Ensure all your users atleast are member of "WebUsers"
Hope this gave you enough detail.
Casper Aagaard Rasmussen
Thank you for your answer! I got it working