Vulnerability in EPiServer.Forms
I am having trouble coping pages in a EPiServer site that has recently been upgraded to CMS6 R2.
The background job fails with the error message:
"Failed to copy the page "foo" beneath the page "bar". Copying a page requires permission to create new pages beneath the destination page."
The user i am logged in does have permission to create pages under the taget page though... I have tried creating new pages there and it works fine. If I alow the group "Everyone" to create pages it also works to copy pages so it defenatly seems to be permission related.
The site is using the MultiplexingMembershipProvider with WindowsMembershipProvider and EPiServerCommonMembershipProvider.
Any tips on what i am doing wrong or how to troubleshoot this further?
Does it fail when you try and start it manually with the user that had access rights to create a page?
If it's only when running automatically then you could create a system user that has the rights you want it to have and then elevate the user rights for the job by letting the code run with that user.
PrincipalInfo.CurrentPrincipal = PrincipalInfo.CreatePrincipal("sysUser"); ;
It sounds to me that you are referring to a scheduled job. Isen't background jobs as it is called in the EPiServer UI something different?
The UI for displaying the result of the jobs is located in EPiServer.UI.Edit.BackgroundJobs but I haven't found any information on how these are actually run.
Right you are. Was thinking about the scheduled job. So the issue arise when you try and copy and paste a page in the UI then?
Yes, and i can create a new page in the destination so i should have the appropriate access rights.
It would be interesting to know how the background jobs is run to see if it might be related to the site using the multiplexingprovider or something like that.
Interesting. Well it's not something I'm able to reproduce using the standard templates. Guessing you should run it by EPiSupport and give them the details about your pagetypes and so on.
One idea to get more information around the issue can be to turn on log4net logging and see if that gives more detailed information.
I have tried to turn logging to "All" but all i get is the SQL-statement used to get the error-report unfortunately.
In the enviroment where this error is occuring we also have windows authentication. When I turn that off, copying pages seem to work again ...
I have reported a bug for this so someone will take a look at it,
I've got the same problem. However it won't work even if I turn off Windows Authentication.
According to the bug list the issue is fixed:"This is reported from a forum post (see attached link), I have not tried to reproduce it.
Yes, there is a hotfix for it. You will have to request it from EPiServer though since its not a part of any official release yet.
It seems cut and copy page is implemented differently and thats why cut works.
Having a similar error now, but not with Windows Authentication enabled. The background job says "Failed to copy the page "Test page" beneath the page "Test page 2". The page type is allowed under "Test page 2" and the user has sufficent access rights.
The only thing I can find in the log is this:
2011-12-06 14:08:44,555 INFO [PipeServerChannel.ServerMain] EPiServer.DataAbstraction.ScheduledJob.Execute - 3.1.3 Scheduled job has already been executed 8de3f2b0-6e12-4716-a6f9-736f7e2f8944
The job "Publish delayed versions" had hung up, but that didn't fix the problem.
So where should I look now?
How do I req this hotfix?
Request it from EPiServer Support
I'm experiencing the same error. I have contacted Episerver support for hotfix.