Vulnerability in EPiServer.Forms
We have language specific roles, so editor of one language can not change the content in other language except the language he has access. In our scenario's, we have created 2 languages EN, SV and one user group for each language as EN editors for editing EN language specific pages and the same for SV editors too.
We noticed that SV editor can delete the page if it is translated into SV language having master language is EN but SV editor don't have chagne permission for EN langauge.
So, ideally editor is not allowed to change the content for the language he don't have access and that is working fine but still he can delete the page. Ideally he should allowed to delete their language versions but not the whole page.
I hope you getting me and if we can have this feature available in Episerver out of box, it would be good.
We have made user cases and below is our result using latest version of Episerver CMS
Case marked with gray and red is incorrect result.
Please note that deleting page means deleting all versions for all languages. If you want to restrict editor deleting the page then the idea is:
Hope this help!
one of the option is to subscribe to `IContentEvents.DeletingContent` and check access permission there. if current user who is trying to delete content does not "qualify" to do so (according for example to your provided analysis) - you can set `args.CancelAction = true` and `args.CancelReason = "...."` to give explanation for the user why he or she is not able to delete this content.
@Binh Nguyen We need to provide delete permission on page, so editor should able delete pages they have created in their language if they have access. So, expectation is editor should allowed to delete pages which they have created, and they also should allow translating pages in their local language which is created by other editors in different language. But they should not allow to delete pages which they have translated even though they have deleted access on that page because he has not access of master language.
@valdis iljuconoks I agree with you we can have language access check on page move or delete event and can cancel the action if they don't have language access but I expect to have this as out of box feature in framework.