A critical vulnerability was discovered in React Server Components (Next.js). Our systems remain protected but we advise to update packages to newest version. Learn More.

AI OnAI Off

Home / Blogs / 2015 / 2 /

Mark Hall - Commerce

Feb 13, 2015

4792

(2 votes)

Important Updates to the ServiceApi

We have released a new version of the EPiServer.ServiceApi and I wanted to highlight some important features over the last two releases. As of version 1.2.0 the ServiceApi is now split out into two packages.

EPiServer.ServiceApi - this is the base package that only has dependency to EPiServer.Cms.Core. This package will allow you to import media as well as episerverdata files.
EpiServer.ServiceApi.Commerce - this is the commerce package that has a dependency to EPiServer.Commerce.Core. This package adds functionality to import catalog content and some restful operations for workng with catalog content.

As of version 1.3.0 all actions require permissions. This means the user getting an auth token must have access to the permissions to use the functions. The permissions are done with the new permissions to functions introduced in EPiServer.Cms.Core 7.19.1. The ServiceApi has two permissions read and write. Any function that manipulates data will require write access while all other require read access. By default when instaling version 1.3.0 the administrators role is granted read and write access.

If you would like to use the ServiceApi read and write permissions in your own webapi controlllers, you can decorate your method like below. You also have the ability to create your own permissions and use with the AuthorizePermission attribute.

[Route("myroute", Name = "mymethod")]
[HttpGet]
[AcceptVerbs("GET")]
[ResponseType(typeof(IEnumerable<Models.MyModel>))]
[EPiServer.ServiceApi.Configuration.AuthorizePermission(EPiServer.ServiceApi.Configuration.Permissions.GroupName, EPiServer.ServiceApi.Configuration.Permissions.Read)]
public virtual IHttpActionResult MyMethod()
{
        if (!ModelState.IsValid)
        {
            return BadRequest(ModelState);
        }
        return Ok(ModelFactory.GetMyMethod());
}

ServiceAPi automatically registers controllers with attribute routing so this allows you to use the permissions in your own webapi controllers. We needed to add a new AuthorizePermission for webapi controllers, the one introduced in EPiServer.Web.Mvc is only for mvc controllers.

There were also some additional security updates which lead the removal of httpmodule EPiServer.ServiceApi.IntegrationAuthorizationModule.

Feb 13, 2015

Comments

Please login to comment.

A day in the life of an Optimizely OMVP - Optimizely Opal: Specialized Agents, Workflows, and Tools Explained

The AI landscape in digital experience platforms has shifted dramatically. At Opticon 2025, Optimizely unveiled the next evolution of Optimizely Op...

Graham Carr | Dec 16, 2025

Optimizely CMS - Learning by Doing: EP09 - Create Hero, Breadcrumb's and Integrate SEO : Demo

Episode 9 is Live!! The latest installment of my Learning by Doing: Build Series on Optimizely Episode 9 CMS 12 is now available on YouTube!...

Ratish | Dec 15, 2025 |

Building simple Opal tools for product search and content creation

Optimizely Opal tools make it easy for AI agents to call your APIs – in this post we’ll build a small ASP.NET host that exposes two of them: one fo...

Pär Wissmark | Dec 13, 2025 |

CMS Audiences - check all usage

Sometimes you want to check if an Audience from your CMS (former Visitor Group) has been used by which page(and which version of that page) Then yo...

Tuan Anh Hoang | Dec 12, 2025

See all blogs