Vulnerability in EPiServer.Forms
Is it possible for admin users to bypass an approval sequence? For example, An approval sequence has been set up on a page where Tom has to have his edits approved by Ben.
However, if Ben wishes to edit that page directly himself, he still has to send his amends through to approve - he can then effectively approve his own work.
My question: Can Ben edit this page and have the option to publish without having to send his edits through the approval sequence?
No, that is not possible, there is no way to publish directly without going through the approval sequence (other than disabling the sequence).
That is a shame - perhaps this is something Episerver could consider?
It would be fantastic if an approver of a sequence could just publish the page (or set of pages) without having to go via the sequence. Going via the sequence not only results in extra clicks for this approver, but it also sends uneeded notifications.
I moved this thread to feature requests
As an Epi user and admin, I definitely agree. :-) But we have discussed this internally, and it is not something that is on the roadmap (yet, at least). The requirement for content approval came foremost from sectors where they need to keep tight control of the approvals for auditing reasons and can't allow admins to by-pass the approval flow. I will make sure to pass your feedback on to the product manager though.
Thanks Asa - good to hear your thoughts and feedback. And I understand the audit scenarios, however it would be worth feeding back to the team that there are other sectors with varying scenarios. So perhaps the added flexability would be beneficial to many.
Thanks for your help. :)