Vulnerability in EPiServer.Forms
For some reason, the community gadgets are missing on my installation... what am i missing here?
Do you have the right access rights? Maybe you need to be logged in as administrator to see them.
Also see if they are loaded: /secretUIpath/shell/debug/modules
Hmm... I cannot access the Url, i get access denied. I'm logged on as a user with local admin permissions and full CMS/Relate permissions... strange.
I could however access that page logged in as domain admin. Does this mean anything to anyone? :)
[ShellModule 'Shell' routing from 'authui/' with resources at '/authui/Shell/' and client resources at '/authui/Shell/' with assemblies 'EPiServer.Shell, EPiServer.Shell.UI' containing controllers 'FailingGadgetController, AboutController, DashboardController, DebugController, SettingsController, ResourcesController, SearchController']
[ShellModule 'CMS' routing from 'authui/' with resources at '/authui/CMS/' and client resources at '/authui/CMS/' with assemblies 'EPiServer.Cms.Shell.UI, EPiServer.UI' containing controllers 'ExternalLinksController, NotChangedPagesController, NotesController, QuickLinksController, RSSReaderController, AboutController, XFormsViewerController, MyTasksController, RecentlyChangedPagesController, BrokenLinksController']
[ShellModule 'Community' routing from 'authui/' with resources at '/EPiServerCommunity/' and client resources at '/EPiServerCommunity/' with assemblies 'EPiServer.Community.Web.Administration, EPiServer.Community.Gadgets' containing controllers 'ApprovalController, ActivityController, AbuseReportController']
And also, the gadgets showed up logged in as domain admin.
The gadgets are available when i log in with local administrator account or domain admin account. Being a member of local admin group does not help. I cannot find anything in web.config or EPiServer.config thas's hardcoded to administrator... i really need help with this.
I am guessing that they use the virtual role "CmsAdmins". So just add your groups to that virtual role. It should be defined in the EPiServerFramework.config.
If that doesn't work, then you might be out of luck as they might be hardcoded to just allow the role "Administrator" to view them.
Topic may seem to be old one but I faced with the same issue recently and here is what I discovered:
What I did was to add "CommunityAdmins" and "CommunityModerators" to virtual role list in EPiServerFramework.config file and configured as required to include those roles that were comming for different role providers.