Vulnerability in EPiServer.Forms
HelloI've stumbled on what I think is a bug in EPiServer CMS R2.It seems that all the controlls and rolechecking in EPiServer uses Context.User.IsInRole to check if the user has sufficent rights. The thing is that if you use a custom RoleProvider it has the method Role.IsUserInRole wich should be used and not Context.User.IsInrole. The method Context.User.IsInrole derrives from .NET 1.1 and calls the RolePrincipal class. The caching isdone in this class which calls Role.GetRolesForUser and then cachesthe list for subsequent calls.
That meand that if you've built a custom roleprovider with some own logic in it.User.IsInRole wont always be the same as Role.IsUserInRole. User.IsInRole is also very slow when you use Active Directory Membership Provider. Why don't EPiServer use Role.IsUserInRole instead of User.IsInRole? In my opinion this is a major bug that is hard to address./Andreas
You can argue that it is an inconsistancy that the RolePrincipal implementation of IPrincipal.IsInRole provided by Microsoft does not call Roles.IsUserInRole, and if I google for it I find many people feel the same way.
But, User.IsInRole is the way to check roles for the currently logged in user because ASP.NET does not require you to use role providers at all or you can even provide your own implementation of IPrincipal. For example the concept "virtual roles" in EPiServer CMS does just this by wrapping an existing principal. And if you don't like the default implementation of RolePrincipal you can even provide your own or complain to Microsoft.
If you look at new frameworks from Microsoft such as ASP.NET MVC you will find that they also call User.IsInRole rather than calling directly into Roles.IsUserInRole.
Hope that helps.