Vulnerability in EPiServer.Forms
Hi, after a succesfull install of EPiServer mail version 5.1.343.270 the Mail link is not visible in the global navigation bar.When directly try to go to the url EPiServerMail/Mailings.aspx I get an 'access denied' message.
Can anyone help me!
It seems that by default only WindowsMembershipProvider users are allowed. How can I also allow SqlServerMembershipProvider users to access EpiMail?
Please make sure that the user is a member of the MailAdmins and/or the MailEditors roles.
I've created the groups and assigned users to them. Unfortunately I still don't see the tab.
I've also edited the web.config and changed the EPiServerMail location section:
<location path="EPiServerMail"> <system.web> <authorization> <allow roles="MailAdmins,MailEditors,Administrators" /> <deny users="*" /> </authorization> </system.web> </location>
This also didn't do it.
EPiServer mail uses it's own user/group system for permissions. Actually it's the same one as EPiServer Community/Relate. You have to configure the integrating membersihp provider to use your existing users. See this blog post for more info about your options:
It sounds like you have some issues with the integration parts of your configuration. Please open a support case and supply your configuration and you will surely get the help you need.
I am already using the multiplexingroleprovider. So now i've replaced the SqlServerRoleProvider with the EPiServerCommonRoleProvider.Unfortunately this also doesn't work. It's impossible to login now.
<roleManager enabled="true" defaultProvider="MultiplexingRoleProvider" cacheRolesInCookie="true"> <providers> <clear /> <add name="MultiplexingRoleProvider" type="EPiServer.Security.MultiplexingRoleProvider, EPiServer" provider1="EPiServerCommonRoleProvider" provider2="WindowsRoleProvider" providerMap1="EPiServerCommonMembershipProvider" providerMap2="WindowsMembershipProvider" /> <add name="WindowsRoleProvider" applicationName="EPiServerSample" type="EPiServer.Security.WindowsRoleProvider, EPiServer" /> <add name="SqlServerRoleProvider" connectionStringName="EPiServerDB" applicationName="EPiServerSample" type="System.Web.Security.SqlRoleProvider, System.Web, Version=18.104.22.168, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> <add name="EPiServerCommonRoleProvider" applicationName="EPiServerCommonApplication" type="EPiServer.Common.Web.Authorization.RoleProvider, EPiServer.Common.Web.Authorization" /> </providers> </roleManager> <membership defaultProvider="MultiplexingMembershipProvider" userIsOnlineTimeWindow="10"> <providers> <clear /> <add name="MultiplexingMembershipProvider" type="EPiServer.Security.MultiplexingMembershipProvider, EPiServer" provider1="EPiServerCommonMembershipProvider" provider2="WindowsMembershipProvider" /> <add name="WindowsMembershipProvider" type="EPiServer.Security.WindowsMembershipProvider, EPiServer" deletePrefix="BUILTIN\" searchByEmail="true" /> <add name="SqlServerMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=22.214.171.124, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="EPiServerDB" requiresQuestionAndAnswer="false" applicationName="EPiServerSample" requiresUniqueEmail="true" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" passwordStrengthRegularExpression="" /> <add name="EPiServerCommonMembershipProvider" applicationName="EPiServerCommonApplication" type="EPiServer.Common.Web.Authorization.MembershipProvider, EPiServer.Common.Web.Authorization" /> </providers> </membership>
I find it strange that you can't log in at all, that configuration should allow you to log in with accounts both in the windows membership provider and the common membership provider.
However, even if that would work you don't get access to the mail tab with that config when you log in with a windows membership account. What you need to do is to use the integrating membership provider, or your users and their roles won't be copied to the common membership provider so that EPiServer Mail can gain knowledge of them.
Refer to the section "A bit mor advanced configuration" in the link in my previous reply.
Succes! after undoing the changes in the Roleprovider and logging back in with previous settings, the tab is now displayed. Don't ask me how.
I installed, through EPiServer Deployment Center, a new Alloy sample site. It works fine as expected. On the same site installation, I installed the EPiServer Mail, also through EPiServer Deployment Center. All the components are install successfully. I don’t touch anything in the project. It is a clear installation of the sample site and the EPiServer mail.
I have the same problem. The mail tab is not visible and i also get an access denied message if I call the url /EPiServerMail/Mailings.aspx.
It sounds like your user isn't a member of any of the "MailAdmins"/"MailEditors"/"Administrators" groups according to EPiCommon.
Iirc, with the default config for membership/roleprovider as well as episerver.common/integration it should work provided the user has the relevant roles (roles which are then synced to these EPiCommon group memberships, which are what EPiMail actually looks at).
Checking the roles would be a good first step.
Thank you for your answer.
The login account I use is an Active Directory account (WindowsMembershipProvider). This user is member of groups like "ORGXXX\MailAdmins", "ORGXXX\MailEditors", "ORGXXX\Administrators".
After creating a new user account (SqlServerMembershipProvider) via "Admin->Create User" and assigned to "Administrator" group, the Mail tab was visible!
How can I configure our AD groups to be accepted from EPiServerMail?
Adding the groups in web.confign doesn’t work:
<allow roles="WebAdmins, MailEditors, Administrators, ORGXXX\MailAdmins, ORGXXX\MailEditors, ORGXXX\Administrators " />
<deny users="*" />
Also doesn’t work:
< allow users="*" />