Vulnerability in EPiServer.Forms
This is what I have done:1. Created a new page in english2. Added a picture to the Page Files folder and then added it to the page3. Created a swedish version of the page and added the same picture from the same Page Files folder4. Stop published the english version of the page
The result is that the picture is no longer avaliable on the swedish page when not logged in.What can I do to override this? Does the Page File folder only inherit from the language where it was created?
Just curious, does it matter if you'd "re-select" the image on the Swedish language version and publish it again?
Also, what happens if you double-click the image in the file explorer? Do you see it properly?
Just did a test on the demo site and re-selecting it will solve the problem.
Would still consider it a bug. So send a case to support
I tried to re-selecting it but it still wont show. Did you do anything special? The image I am working with is added through TinyMCE image button.I removed the image and added it again. Still no show.If I double-click on the image from within episerver then it shows properly but that's just because I'm logged in.Otherwise the image wont show. RegardsSandra
Another curious question, did the English language version expire, or did you remove the English language version altogether?
Either way, it actually sounds like a bug to me as well. Odd, I'd think I'd come across it before... :/
Hi!No the English language version still exists and so does the page, it has just been unpublished. But the Page File folder was created when the page tree was in English. So now I cant reach it from my Swedish published page.
If I set bypassAccessCheck to true instead of false then the image shows.
My question is, is there any downsides to doing this?
The downside would be that if you have pages that are not available to everyone, files in their page folder would not have the same check. Ie, they would be available to everyone, providing they know the path to the file.
Also, in case you are tracking your bug, it's been closed as a duplicate. An identical bug was actually reported last week (bug id 61675).
Per GunsarfsEPiServer Development Team
Page folder access rights are connected to the master language of the page. The master language can not be deleted but unfortunately it's possible to unpublish the master language version before another language. If this happens files in the page folder are no longer available regardless of what language your browsing since the the page folder files are not language aware.
The suggested short term "fix" is to alert the editor when publishing a language version if the master language branch has a stop publish date prior to any other language and the page folder exist. The long term idea is to make it simpler to change master language on a page and not allow the master language version to be unpublished before all other language are unpublished.
RegardsLinus EkströmEPiServer Development Team
Can I choose to set bypassAccessCheck to true on some Page Files folders and false on some other Page File folders?Example: a site with an intranet where the Page File folders on the site has bypassAccessCheck set to true and the intranet has it set to false.
You set it per virtual path provider, so you could set it to true for the Page Files, but not others (like Global and Documents in the default templates). However, I don't think it's possible to configure it for Page Files on just part of the page tree.