Vulnerability in EPiServer.Forms
I know you can apply permissions to editing tabs, but to edit Dynamic Properties, you have to have Admin permissions on the page, which means you already have the highest permission set.
This means that is some can edit any Dynamic Property, they can, by definition, edit all Dynamic Properties.
Am I understanding this correctly? And, what can be done about it, if you want to keep a tab secure, only to specific users?
Yes you are understanding it correctly. I have always thought that this design is odd. Nowdays we have very few dynamic properties and have most of the "global" properties on a settings page.
We have done the latter for use on some pagetypes.
I've used this code in the past to hide properties in Edit Mode. Is there some equivalent event I could hook when the Dynamic Property interface loads, and hide it this way?
private void EditPanel_LoadedPage(EPiServer.UI.Edit.EditPanel sender, EPiServer.UI.Edit.LoadedPageEventArgs e)
e.Page.Property["Pagename"].DisplayEditUI = false;
I did a little digging. EditDynProp is the page. The only event it throws is PageSetup. In that event, the CurrentPage is not populated. Additionally, the Controls collection for the underlying page hasn't been populated either, so I can't see a way to hide a control.
I opened a ticket with support, and they pointed me to this blog post by Anders:
Seems like a lot of work for something that should be simple-ish. I feel like tab access should be controlled by group/user access, not page permissions.