Vulnerability in EPiServer.Forms
Can anyone tell me how you can set up a new CMS Group in Episerver that will allow them Save and Publish to a specific location in the Site tree, for example I have a new Group call "Contact Us" group - these guys should be set up to allow them Save rights to this page only. The rest of the site should be locked down so they cant edit or publish any other content.
I have added a user to this new group but they can't log in to the CMS - if I set them up with the WebEditor group too then they can login but they also have access to the rest of the site (Save).
Can I set this user up so they can only have Save permissions to a specific page?
In web.config file you have something like this:
<allow roles="WebEditors, WebAdmins, Administrators" />
<deny users="*" />
If you add your ContactUs group isnide 'allow roles' element, they'll be able to access epi edit mode.
Check in admin mode if you have webeditors set in to have editing accesrights. You should use the WebEditors or some other group set in web.config as descripbed above. Then you create a new group in adminmode i.e ContactUsEditors. This group you will use to add accessrights to edit specific content. The "WebEditors"-group is only for giving access into the system, as decribed in the previous post.
You will need to clear the access rights for WebEditors and only use that group for accessing the system and not use it to give editors specific rights to pages.
It is a common mistake to use the WebEditors to give specific editorights in the tree. There are some great information about access rights on the SDK for Editors: http://webhelp.episerver.com/CMS/7.5/EN/Default.htm#Authorization/Admin_IN_Authorization.htm%3FTocPath%3DAdministering%20the%20website%7CSetting%20access%20rights%7C_____0
Here's an explanation with images:
1. Create Contact Us group in admin mode: http://dcaric.com/ew-images/20140603/01.png
2. Click on Set Access Rights, select Contact Us page and uncheck Inherit settings from parrent item: http://dcaric.com/ew-images/20140603/02.png
3. Click on Add Users / Group and add Contact Us group: http://dcaric.com/ew-images/20140603/03.png
4. Set permissions you want and click save: http://dcaric.com/ew-images/20140603/04.png
5. Modify web.config file so that Contact Us group has access to epi edit mode: http://dcaric.com/ew-images/20140603/05.png
6. When you log in as Contact Us user, you'll be able to edit only that page: http://dcaric.com/ew-images/20140603/06.png
Hope this helps!
Many thanks - all your replies have helped a lot
Hi, yes it is except that you also control mediadate in the access rights tree as well.
So for giving the access to specific group we have to modify web.config?
I'm just looking a way that make CMS admin able to giving access for specific pages to a group of editors through CMS without modfiying the web.config
is it possible?