Security and access control breaking changes

This article covers security, access control, preview token, and content approval engine breaking changes in CMS 13.

EPiServer.Security.PrincipalInfo

• Method HasEditAccess was removed in favor of user.IsInRole(Roles.CmsEditors).
• Method IsPermitted was removed in favor of PermissionService.IsPermitted.

EPiServer.Security.AccessControlEntry

• Now overrides object.Equals and object.GetHashCode.

EPiServer.Security.AccessControlList

• Now overrides object.Equals and object.GetHashCode.

EPiServer.Security.RawACE

• Property SID was removed because it is no longer used.
• Public fields were changed to public properties.

EPiServer.Security.SecuritySaveType

• Values RecursiveReplace, RecursiveModify, and Modify were removed because they are no longer used.

EPiServer.Security.SystemPermissions

• Property WebServiceAccess was removed because it is no longer used.

Preview tokens

Preview tokens are simplified in CMS 13. Content reference validation is no longer used:

• EPiServer.Security.IPreviewTokenService – The ContentReference arguments were removed because tokens are no longer issued for specific content. TryGetPreviewToken also requires an IPrincipal argument to determine the user for which the token is issued.

• EPiServer.Security.PreviewTokenService – Constructor arguments IPrincipalAccessor, IContentAccessEvaluator, and IContentLoader were removed.

• EPiServer.Security.PreviewToken – The ContentReference property was removed. The User property is now of type IPrincipal instead of IIdentity.

• EPiServer.Security.PreviewTokenContentReferenceValidation – Enum removed since content reference validation is no longer used.

• EPiServer.Security.PreviewTokenOptions – The ContentReferenceValidation property was removed.

Content security events

• EPiServer.DataAbstraction.IContentSecurityRepository – Events ContentSecuritySaved, ContentSecuritySaving, and ContentSecurityDeleted were removed in favor of events on the EPiServer.DataAbstraction.IContentSecurityEvents interface.

Approval engine

• IApprovalEngine – Now throws ArgumentOutOfRangeException rather than IndexOutOfRangeException if stepIndex is outside the step index.

• IApprovalEngine – The API requires Administer access rights to transition a content version from AwaitingApproval (unless IContentRepository.Save is called with AccessLevel.NoAccess).

• IApprovalEngine – Content under an approval definition must go through the approval workflow before publishing. Publishing such content throws a ValidationException. To bypass this validation using SaveAction.SkipValidation, the user must have Administer access rights (unless IContentRepository.Save is called with AccessLevel.NoAccess).

• EPiServer.Approvals.ApprovalStepEventHandler – Delegate was removed in favor of EPiServer.Approvals.IApprovalEngineEvents.

• EPiServer.Approvals.IApprovalTypeRegistry – A new method Unregister was added to the interface.

Permission repository

• EPiServer.DataAbstraction.PermissionRepository – Methods GetPermissions, SavePermissions, DeletePermissions were removed in favor of corresponding asynchronous methods.