Vulnerability in EPiServer.Forms
I have EPiServer CM6.0 based web site with integrated Community 4.0.
I can add new users, but I don't have ability to change password - password input fields are disabled and cannot reset or amend password when user fogot one (I don't see such functionality).
How to change own password (enable password input fields) and find "Forgot password" functionality?
I've never worked with community but if you use the sql membership and role providers you can create and change passwords. If you use the multiplexing provider the sql must be the first in the multiplexing provider settings.
You are right, it is possible to manege password over IIS, but I expect to have more customer friendly UI to manage own and forgotten passwords which embeded in EPiServer Edit mode.
I found a BVNetwork.EPiUserPlugins control on epicode site. Unfortunatly it doesn't support EPiServer 5.0 and 6.0 needed in big refactoring. I prefer to use any standalone EPi manage password tool. Should I emplement one by myself or it exists somewhere at Edit mode?
You have to implement it yourself. If you do something nice It would be great to share it on EpiServer codesection: http://world.episerver.com/Code/
Thanks a lot for your answers.
I have investigated this a little bit and come to the conclusion that you probably uses “EPiServer.Common.Web.Authorization.MembershipProvider” – this provider always return false for the function “EnablePasswordReset” that the CMS uses to verify if the provider are able to change password or not.
Change the provider to “EPiServer.Common.Web.Authorization.IntegrationMembershipProvider” and set the provider attribute to the underlying provider you want to use (I used the normal configuration for SqlMembershipProvider).
To test it out create a new user and login with this account then the tables tblEPiServerCommonUser and tblEPiServerCommonGroup will be filled – and you have the posibility to change password in the normal CMS admin mode.