Access denied when using Link Collection property or MulitPageProperty
<p>In my last project I came across a rather strange error. In my solution (EPiServer CMS 5 SP3) a user could be logged in with a user that don’t have read access to the startpage but having full access to a specific part of the site including the Edit mode.</p>
In this specific part of the site I had documents that refer to other pages and links, and I used MultiPageProperty for this. In R2 you would probably use the Link Collection property. But when the user clicked the icon to add a new reference the window that popped up included an “Access Denied to page 5” error (5 = my startpage)! I found this very strange since the page never referred to the startpage at any point in the code.
The problem is that if you have a page that inherits from TemplatePage and that the URL don’t contain an page id then it tries to open the page in the context of the startpage.
There are two ways to solve this problem:
1. Add CurrentPage id in the URL (in this case you’ll need to modify the relevant aspx pages in the MultiPageProperty or if you use Link Collection then you need to modify the PropertyLinkCollectionEditControl).
2. Or if you know the accessrights the user needs you can override the PageData GetPage (PageReference pageLink) and AccessLevel RequiredAccess() methods for each page (or you can create a new pagebase class for these pages).
In this specific case with the pop-up window I permitted the user to read from startpage by adding the following code to my MultiPageSelector.aspx page:
<script type="text/C#" runat="server">
public override PageData GetPage(PageReference pageLink)
return DataFactory.Instance.GetPage(pageLink, AccessLevel.NoAccess);
public override AccessLevel RequiredAccess()
Not sure if this behavior is a feature or a bug in EPiServer but in my personal view it should be fixed since the dialog window don’t contain any information that needs to be hidden for a user in Edit mode and if the user want to select a page from the pagetree it is filtered on access rights anyway.