Vulnerability in EPiServer.Forms
I was under the impression that one major (and I mean MAJOR) feature added in the CMS 6 release was the ability to set page permission per language. I.e. that a single page (a single PageID) can have different permissions on e.g. English and Swedish content. I was very disappointed to find that the permission set om a particular page was also set on all other language versions of that page.Am I missing something? I was 100% positive that this was a major feature appearing in the CMS 6 version.
One more thing that I consider a serious bug in the CMS 5 and CMS 6 releases is the access rights page where you can view and modify permissions on the currently selected page. The code behind this page simply checks the PageReference and if the RemoteSite property is set, promptly disables all the fields in the page.This is correct if the page in question is located on a remote site. BUT. The remoteSite property of the PageReference is also used to specify that a page is located on a specific custom PageProvider. This means that although the "Security" in the "Capabilities" tag is specified, the user cannot edit and set the permissions of any of the pages. This effectively hampers the functionality and usefulness of the custom PageProviders. It's not an option if you need the user to be able to set the page permissions.
The new feature was setting access level for a language. Such as "only this group is allowed to edit pages in English".
That is correct that it is not possible to set security rights for pages from a custom page provider through EPiServer UI/API. So if editors should have possiblity to set access rights for those pages a custom UI must be buillt for this (a plugin).
In next version of EPiServer CMS this will be changed so it will be possible to set access rights for custom pages as well through the built in UI (requires though that the provider in question implements some new methods for that purpose).
In the next version of EPiServer, will it be possible to set permissions per page and language?
To only set permissions per complete language is way too coarse an option for many large corporations.
In a large company, if somebody in e.g. Norway can change or distort pages belonging to the Swedish branch, it's disaster.
To resort to putting all branches in separate positions in the EPiServer page tree and still keep the pages consistent across languages is cumbersome if not impossible.
Will this be an added functionality in the next version of EPiServer?
I guess if Norway-editors should never be able edit Swedish pages it is solved by the global language access level I described.
The example was greatly simplified.
I know that it is possible to set permissions on the actual languages in EPiServer 6. Great but too coarsely grained.
The customers in question need to expose some pages to other languages but certainly not all.
OK! If it's really critical I'd say it's fairly easy to build a custom group/user selector propertytype and use it as a dynamic property. Then check it and the languagebranch in some suitable event to allow a page to be saved or created.
I guess one reason the feature is not added is that it would complicate the access rights UI even more. It's hard for normal users to understand as it is.