Vulnerability in EPiServer.Forms
I'm installing EPiServer Mail according to the installation guide on an out-of-the-box CMS 5 SP2 installation with the demo templates R1 installed. Additionally I have the CMS 5 security hotfix installed, the EPiServer Create+ license hotfix and EPiServer Mail hotfix.
The site is configured to use the SQL membership and roles providers and has a single user only - the administrator user.
The only way I can get EPiServer Mail to install is to select the RFC Provider. With this option selected I can get access to both admin mode (/netstar/admin) and the mail tab within EPiServer.
If I use the RFC Integration provider, selecting the SQL options for both users and roles, EPiServer Mail installs correctly but I have the following problems.
Is there a step I have missed that is not well documented for using the RFC Integration Provider or are there any known issues with an installation of this type.
Do I need to manually configure any groups or users within EPiServer to get EPiServer Mail working in this scenario?
I have an idea on what the issue may be:
When you use the RFC Integration membership provider, in your web.config under the membership providers section, you have a line that looks something like this (by default, if you were using SqlMembershipProvider):
The StarSuiteIntegrationMembershipProvider synchronizes users from an underlying membership provider into the "Required Framework Components" user management.
The attribute provider determines which membership provider it uses, and roleToSynchronize1 determines a role that the user must have in order for it to be synchronized.
What I suspect is that according to the SqlMembershipProvider your user may not be a member of "Everyone". Could you try changing the roleToSynchronize1 value, then log out and back on again to see if this is the case?
I have modified web.config as follows (note that the administrator user is a member of the WebAdmins group)
<add name="StarSuiteIntegrationMembershipProvider" applicationName="StarSuiteApplication" type="StarSuite.Core.Web.Authorization.IntegrationMembershipProvider, StarSuite.Core.Web.Authorization" provider="SqlServerMembershipProvider" roleToSynchronize1="WebAdmins" />
I can see from the table "tblStarSuiteUser" that the administrator user has now been synchronised in to the database but I receive "Access denied" messages both on the Mail tab in EPiServer and admin mode (/netstar/admin).
Digging around in the EPiServer Mail database I have managed to resolve the access denied problem (for both) by adding records to the "tblStarSuiteGroupAdministrativeAccessRight" for the WebAdmins group but surely this is not what should be required?
No, that is not supposed to be necessary.
The idea is that a user that should have access to EPiServer Mail should be, first of all synchronized (which you resolved by changing the roleToSynchronize1), but also be a member of on of: Administrators (full access), MailAdmins (full access) or MailEditors (access to send, etc).
Those are the predefined groups that have permission to EPiServer Mail, and are in most cases sufficient.
Thanks. Creating the groups manually has resolved this.
with EpiMail 4.4 (the latest version and not the star suite version)
I have a similar access issue. If I login with my machine administrator account using multiplex membership and role provider I see the EpiMail tab.
I would like the custom user I created part of the epi group 'WebAdmins' to see the epimail Tab functions but this is not happening.
With the introduction of EPiServerCommonIntegrationMembershipProvider the groups are not getting copied to the permissions tables in SQL. If I have to physically add a group then I'll do so but this thread applies ot an older version.
If you are using the Multiplex provider you will have to add what groups a person should be with in to get synced in.
Tom just wrote a verry good blog post about the issue.