Vulnerability in EPiServer.Forms
i've been trying to get some help but not getting too far.. I want to alter the way the workflow in CMS 6 works, to allow people without publish rights to approve workflows. Has anyone out there done this?
I have tried creating my own workflow and adding it to my EPiServer project but I need to link into all the templates for the start params etc and this is not working. Any help would be greatly appreciated
I am now on parental leave and has not currently access to the "up to date" source code so my answer is as I remember it. Also for that reason I cant send you any source code but you can see it through for example reflector.
The check for publish rigths is actually not performed in the approval worklflow itself but in the corresponding ApprovalService class which hooks up to the event InstanceStarting and in the event handler method checks that the approvers has publish rights and if not cancels the starting of the workflow.
So what you can do is to inherit EPiServer.WorkflowFoundation.Workflows.ApprovalService class and override method HasReadAndPublishRights (unfortunately it is not declared as virtual so you have to use the new keword). And in your implementation of the method you can then remove the check for publish rights. Then you can change the service declaration in web.config from original ApprovalService to your custom service.
Unfortunately we have made the coupling between the approval workflow and the ApprovalService too "tigth" so you will also need to "override" the user controls WorkflowApprovalEvent.ascx and WorkflowApprovalStart.ascx and change the codebehind implemenatation to refer to your approval service instead of the original one (the references is in the methods InvokeEvent). With override of usercontrol I mean that you have to use the VirtualPathMappedProvider to map requests for the original usercontrols (WorkflowApprovalEvent.ascx and WorkflowApprovalStart.ascx) to your new controls (you also have to change the namespaces so you dont get namespace collisions).
Hope this helps, post further questions and I will try to follow them up.
any advice on how to override the user controls?
does anyone know in which dll is the WorkflowApprovalStart
Ok there seems to be somewhere else that needs overriding because I am still getting the error message saying the user doesn't have read or publish rights! very strange. Can you please provide some assistance on this as soon as possible???