Vulnerability in EPiServer.Forms
How can we configure and access Visitor Groups in Episerver 6 R2? In edit mode when we click the Visitor Groups link and then try to add the gadget we get the message:
Statistics are either not available for the selected visitor groups or there are none selected.
Trying to change settings for Visitor Group Statistisk gives the message: No Visitor Group selected.
If we then go to Edit Mode and then click the link Visitor groups, Nothing happens. The page just reloads!
Is there any access path needed in web.config in order to get Visitor Groups to work?
You should be in one of the following roles to administer visitor groups:
You can change which groups are added to those in episerverframework.config by change the roles attribute.
<add roles="WebAdmins, Administrators" mode="Any" name="CmsAdmins" type="EPiServer.Security.MappedRole, EPiServer" /><add roles="WebEditors" mode="Any" name="CmsEditors" type="EPiServer.Security.MappedRole, EPiServer" />
Thanks for your reply guys.
Dmytro: are CmsAdmins and VisitorGroupAdmins built in groups in Episerver or we have to create them and then set the access right somewhere?
Per: We use active directory for user authentication and have configured different access levels for administrators and editors at <authorization> block in web.config. In episerverframework.config we have added:
<add name="VisitorGroupAdmins" roles="domain\Ad groupe name" type="EPiServer.Security.MappedRole, EPiServer" mode="Any"/>
But still no progress...
CmsAdmins and VisitorGroupAdmins are kind of default roles.
I think VisitorGroupAdmins is not defined when you install new EPiServer site, you can add it in virtualRoles section in EPiServerFramework.config file or define it in Admin mode.
CmsAdmins should be added by default in virtualRoles section of EPiServerFramework.config, in your case it could be something like
<add roles="domain\Ad groupe name,WebAdmins" mode="Any" name="CmsAdmins" type="EPiServer.Security.MappedRole, EPiServer.Framework" />
I checked episerverframework.config. The CmsAdmins line existed already. As you mentioned in your latest post Dmytro it probably was added by default. I added the next line below for VisitorGroupAdmins role but it didn’t help. Attempting to add the gadget gives the same message (Statistics are either not available for the selected visitor groups or there are none selected) .. Trying to change settings for Visitor Group Statistic gives the message: No Visitor Group selected.
<add name="CmsAdmins" roles="WebAdmins, Administrators, domain\AD group name" mode="Any" type="EPiServer.Security.MappedRole, EPiServer.Framework" /> <add name="VisitorGroupAdmins" roles="WebAdmins, Administrators, domain\AD group name" mode="Any" type="EPiServer.Security.MappedRole, EPiServer.Framework" />
Ok, maybe I didn't understand your question. I thought that main problem is that you cannot access visitor groups settings by clicking on Visitor Groups section in global navigation menu.
So - can you go to Visitor Groups settings in global menu? Do you have any visitor group defined?
I can access the settings for the Visitor Group Statistics Gadget. But we do not have any visitor groups defined. Where do we define these groups?
Go to Edit mode and then select CMS / Visitor Groups section in global navigation menu.
I think it is something wrong with our Episerver instalation because when we go to Edit mode and then select CMS / Visitor Groups we get redirected to our predefiened "Page-can-not-be-found page". looks like this functionality does not even exist or correctly configuered. The question is what's needed to get it work.
Visitor Groups settings should be available on your site on http://yoursite/path/To/UI/CMS/VisitorGroups
Does your URL to Visitor Group settings look as expected?
Also you could check following:
This is how episerver.shell section looks like in our web.config file:
<episerver.shell> <publicModules rootPath="~/modules/" autoDiscovery="Minimal" /> <protectedModules rootPath="~/EPi/UI/"> <add name="Shell" /> <add name="CMS" /> </protectedModules> </episerver.shell>
Trying to go to http://sitename/EPI/UI/CMS/VisitorGroups gives HttpException: Not Found, like the page doesn't exist.
Configuration looks good.
It seems that visitor group controller cannot be resolved, may be CMS module is not initialized properly.
I would try to install new clean EPiServer site on that environment, check how Visitor Group settings works on clean site and what is the difference comparing to the site where VG settings are not available.
Sounds like a good idea. Many thanks for your answers.
the VisitroGroup link only appears when i am logged in as Administrator of our AD server. but when i log in using my account (which has a Admin role in the intranet) the visitor groups link does not appear