Vulnerability in EPiServer.Forms
I've created some new access rights on a site that I've not done this on for a few years, so the steps required are a bit rusty.
The usergroup is called "Sandboxeditor" who has got full permissions on a specific node in our content tree.It has got read access only the root folders.
I've created a user, and assigned this user to the group.
I’ve added the following to my web.config to (I think) allow access to edit mode:
<add tagPrefix="EPiServerUI" namespace="EPiServer.UI.WebControls" assembly="EPiServer.UI"/>
<add tagPrefix="EPiServerScript" namespace="EPiServer.ClientScript.WebControls" assembly="EPiServer"/>
<add tagPrefix="EPiServerScript" namespace="EPiServer.UI.ClientScript.WebControls" assembly="EPiServer.UI"/>
<globalization requestEncoding="utf-8" responseEncoding="utf-8"/>
<allow roles="SandboxEditor, WebEditors, WebAdmin
s, Administrators, UpdatesArticleUsers"/>
The issue is that I don't get a login error (so username password is correct), but if I try and access the CMS URL, I get sent back to the login screen.I'm sure I've missed off a step along the way, but can't recall what
First, the normal way is to restrict WebEditors to only be able to login to Edit mode, then create separate groups that actually have access rights in page tree. That way, it's easy to administrate adding new editor groups that have access rights to part of the tree without having to touch web.config.
sure, but I'm forgetting the steps to do that.. What does one do / where should I update /edit to allow that?
First limit WebEditor access rights to only have read access like everyone user in admin mode (set access rights). Easiest to do it in admin mode since you can set access rights for parts of the tree structure there compared to page by page in edit mode.Add access rights for SandboxEditor to allow edit part of the tree using the same tool in admin mode.Create user that belongs to both groups. LoginEnjoy!You do not need to add SandboxEditor to any location tags in web.config then...since the user is also a webeditor and can then log in to edit mode.Note: Remember to do the same for files...for production environment. Otherwise user can edit only parts of the page tree but access all files and delete then which is usually not the Sandbox behavior you are looking for :)
Daniel is absolutely right. There's also a good article on this topic: http://world.episerver.com/Articles/Items/Restricting-Page-Display-in-Edit-Mode/ which gives example scenarios and best practices in regards to using the WebEditors and Webadmins virtual roles.
Arild: Seems the link you are referring to does not exist.
The link opens just fine here, Linus. Google agrees: https://www.google.no/?gfe_rd=ctrl&ei=yfEWU8n6DuiO8QeLqoDIBQ&gws_rd=cr#q=episerver+Restricting+Page+Display+in+Edit+Mode
Right, removing everyone group and replacing it with an anonymous group will make it possible to hide parts of the tree structure for editors as well. I like that little trick...
@Arild: Interesting, the link clearly works for me now. But I got a friendly 404 before my last comment. I guess that I have to talk to the World team about this...
I've tried doing the above anonymous group. It's fine, but ends up hiding half your site when you when try and view it.. (as once logged in they no longer have read access!). Also need to give them read access on any parent pages so the tree and load. I've done that on an EPiServer 7 site.
I think my main issues are just a larger configuration problem, as at some point config files were upgraded from IIS6 to IIS7. I'd already tried all the above before I posted here..
Thanks for all the suggestions either way.
@Danny: In addition to the <location path="(your-cms-path)"> you should also have nodes for access to Admin mode <location path="(your-cms-path)/CMS/Admin"> and the UI <location path="UI">
Are these present? How do they look?