Vulnerability in EPiServer.Forms

Try our conversational search powered by Generative AI!

Community Gadgets only available for local admins


I'm having some serisous problems with the community gadgets in our testing environment. They only show up for users who belong to the builtin\administrators account, regardless of what other community groups they belong to or what rights have been set.

We're using WindowsRoleProvider and EPiServerCommonIntegrationMembershipProvider, so we're authenticating against ourAD and all groups from there have been added to EPiServer Community.

Feb 01, 2011 11:40


please verify the authorization configuration section of the uiUrl folder in web.config to see whether it allows other groups ? Can you post it here?


Feb 15, 2011 10:15

We've made some progress in identifying the error here. The community gadgets have an AUthorize attribute that is hard coded to look for Administrators, CommunityAdmins or CommunityModerators, regardless if you use those groups or not.

We can get users to see them if they are admins on the machine running the site (ie they belong to the group bultin\administrators, which apparently counts for the authorize attribute), but that is less than ideal since our users get their groups from the AD anyway.

Mar 07, 2011 11:48

You can use virtual roles to remap the administrator role (in EPiServerFramwork.config if you are using CMS6 R2)

  <virtualRoles replacePrincipal="true">
      <add name="Administrators" type="EPiServer.Security.WindowsAdministratorsRole, EPiServer" />
      <add name="Everyone" type="EPiServer.Security.EveryoneRole, EPiServer" />
      <add name="Authenticated" type="EPiServer.Security.AuthenticatedRole, EPiServer" />
      <add name="Anonymous" type="EPiServer.Security.AnonymousRole, EPiServer" />
      <add name="Creator" type="EPiServer.Security.CreatorRole, EPiServer" />
      <add roles=" Administrators, YourAdministratorRole" mode="Any" name="CmsAdmins" type="EPiServer.Security.MappedRole, EPiServer" />


May 26, 2011 15:10

Did you ever solve this? I bleieve i have the same problem...

Sep 15, 2011 16:48

Sorry for taking so long to respond. I just forgot about until doing an inventory of my inbox today. Unfortunately, I don't really have good news. We never did manage to solve this problem, at least not directly. Instead, we were forced to implement a complicated workaround.

The easiest fix to this problem is to just add users to the groups that are allowed to see the gadgets. It is possible that the membership provider (or is it the other one, I can never remeber) overrides any groups assigned. It did for us anyway, which caused a much larger problems with functionality taht requires specific groups to function. Club specific forums in Relate+ being one such example (and the only one I can think of). So we ended up bypassing the whole login process altogether, so we could persist manually assigned user groups. Which solved this problem for us as ell.

Oct 03, 2011 13:26

I actually solved this now by modifying the GetRolesForUser method. You could do this in a number of ways. I wanted to check if the user is a member of a specific AD-group, like this:

public override string[] GetRolesForUser(string username)
            DirectoryData userResult = GetUser(username);

            if(userResult == null)
                return new string[0];
                //throw new ProviderException(String.Format("The user {0} does not exist.", username));

            List<string> roleList = GetRolesForUserRecursive(userResult);

            List<string> appendGroups = new List<string>();
            foreach (string thisRole in roleList)
            return roleList.ToArray();

Oct 04, 2011 16:52

Jonas (or someone else helpful person), 

where can I find this GetRolesForUser method?

We are still struggling with this problem (same group as author Våglin above used to attend). We tried to get rid of the workaround Våglin wrote about above but got stuck on this problem again. 

Any other suggestions how to sync CommunityAdmins with AD groups other than overriding the GetRolesForUser method?

We have tried the solution Tom Stenius wrote about in his blog: but it doesn't help us with the Community administration. With the EPiServerCommonIntegrationMembershipProvider I don't even see the Community tab as local admin, which I do if I only use the WindowsMembershipProvider.

Thanks in advance / Josef

Dec 20, 2011 13:53

You will find the method in ActiveDirectoryRoleProvder. You wil have to follow this blog: and set up your site using that provider.

Dec 20, 2011 14:35

Thank you Jonas for your quick reply!

I downloaded the code Tom referred to but it didn't compile. I noticed he also refers to Relate+ 1.x but we run 2.0 and I also found out that those classes seems to exist in our EPiServer.Security assembly already so I guess they have been included in 2.0?

Anyhow, instead I wrote a class that overrides WindowsRoleProvider which adds "CommunityAdmins" & "CommunityModerators" to the roles. That was successful in the way that I can now see the Community tab and some of the contents below the Admin & Moderate subtabs. But still some content (that I see as local admin) is hidden and I get an access denied message in the first page after clicking the admin tab.

Do you know if this is related to the configuration, or if I have to manually set access rights to the community content for these groups?

Would it still be better to use the AD role provider instead of my overriding Win role provider? It's really hard to find any documentation about the differences between all different providers.

Thanks, Josef

Edited, Dec 21, 2011 9:20

Did you modify the EpiserverFramework.config roles? I believe you have to add your AD-groups to te virtualRoles section:

<add name="cmsAdmins" roles="Administrators, WebAdmins, YourAdGroupName"/>

Dec 21, 2011 14:57

Yes I did. I even added "CommunityAdmins" to "CmsAdmins" after I read your reply. But is the CmsAdmins role relevant for the Community content? What I really don't know yet is what the WebAdmins role is all about? Do you have a clue? Perhaps I should put it in my GetRolesForUser() as well?

Dec 21, 2011 15:03
This thread is locked and should be used for reference only. Please use the Legacy add-ons forum to open new discussions.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.