I wanted to compare the capabilities of WSS 3.0 (Sharepoint 2007) to host forum-like discussions, blogs and wiki’s. After I’d developed my site, there were items that were visible to anonymous and standard users that I felt were inappropriate. I wanted information to be visible or not based upon the users role. Such as the ability to view lists of People and Groups. I’ve worked in several businesses where exposing customer names to all users is a violation of customer agreements. IMHO, this is a serious oversight in Microsoft’s implementation.
After I did a good bit of research, experimentation and learning I was able to change the security using the SPSecurityTrimmedControl. Here is how I restricted access to some portions on my Sharepoint Site.
WSS 3.0 provides a control SPSecurityTrimmedControl that allows the conditional rendering of content based on a users permission. Using this control, I was able to restrict who would be shown People and Groups on my site. To do this I modified the people.aspx and the groups.aspx files for my site.
A word of caution: I have no doubt that when applying a future service pack, Microsoft will overwrite my changes. Therefore I’m managing my changes externally from the Microsoft SharePoint directory. This will allow me to difference new code from Microsoft and reapply my changes.
people.aspx
The file people.aspx resides in the \Program Files\Common Files\Microsoft Shared\web server extensions\12\TEMPLATE\LAYOUTS folder. It lists the persons in the site. After I made a backup copy, I opened the file in a text editor and located the start of the “PlaceHolderMain” asp:Content section and added the start of my permission change
before
<asp:Content contentplaceholderid="PlaceHolderMain" runat="server"> <asp:PlaceHolder id="PanelAllPeople" runat="server"> <div class="ms-listdescription"> |
after
<asp:Content contentplaceholderid="PlaceHolderMain" runat="server"> <SharePoint:SPSecurityTrimmedControl runat="server" PermissionsString="ManagePermissions"> <asp:PlaceHolder id="PanelAllPeople" runat="server"> <div class="ms-listdescription"> |
I located the end of the “PlaceHolderMain” asp:Content section and completed my permission change.
before
<asp:HyperLink id="LnkCallTo" runat="server" Text="<%$SPHtmlEncodedResources:wss,people_callbuttontext%>" style="visibility:hidden;display:none" NavigateUrl="callto:" /> </asp:Content> |
after
<asp:HyperLink id="LnkCallTo" runat="server" Text="<%$SPHtmlEncodedResources:wss,people_callbuttontext%>" style="visibility:hidden;display:none" NavigateUrl="callto:" /> </SharePoint:SPSecurityTrimmedControl> </asp:Content> |
I also located the modifed the “PlaceHolderLeftNavBar” asp:Content and made the similar changes as above to require the user to have ManagePermissions as well.
groups.aspx
The file group.aspx resides in the \Program Files\Common Files\Microsoft Shared\web server extensions\12\TEMPLATE\LAYOUTS folder. It lists the groups in the site. After I made a backup copy, I opened the file in a text editor and made the same “PlaceHolderMain” asp:Content section changes as I had to people.aspx.
Overview of SPSecurityTrimmedControl
The SPSecurityTrimmedControl conditionally renders the included contents only when the current user has the permissions defined by the PemissionsString.
An example requiring the user to have “ManagePermissions”:
<Sharepoint:SPSecurityTrimmedControl runat="server" PermissionsString="ManagePermissions"> <!-- ... ... code being managed ... ... --> </SharePoint:SPSecurityTrimmedControl> |
Here are some of the values for the PermissionsString
| Permissions String | Description |
| AddAndCustomizePages | Add, change, or delete HTML pages or Web Part Pages, and edit the Web site using a Windows SharePoint Services–compatible editor. |
| AddDelPrivateWebParts | Add or remove personal Web Parts on a Web Part Page. |
| AddListItems | Add items to lists, add documents to document libraries, and add Web discussion comments. |
| ApproveItems | Approve a minor version of a list item or document. |
| BrowseDirectories | Enumerate files and folders in a Web site using Microsoft Office SharePoint Designer 2007 and WebDAV interfaces. |
| BrowseUserInfo | View information about users of the Web site. |
| CancelCheckout | Discard or check in a document which is checked out to another user. |
| CreateAlerts | Create e-mail alerts. |
| CreateGroups | Create a group of users that can be used anywhere within the site collection. |
| DeleteListItems | Delete items from a list, documents from a document library, and Web discussion comments in documents. |
| DeleteVersions | Delete past versions of a list item or document. |
| EditListItems | Edit items in lists, edit documents in document libraries, edit Web discussion comments in documents, and customize Web Part Pages in document libraries. |
| EditMyUserInfo | Allows a user to change his or her user information, such as adding a picture. |
| EnumeratePermissions | Enumerate permissions on the Web site, list, folder, document, or list item. |
| ManageAlerts | Manage alerts for all users of the Web site. |
| ManageLists | Create and delete lists, add or remove columns in a list, and add or remove public views of a list. |
| ManagePermissions | Create and change permission levels on the Web site and assign permissions to users and groups. |
| ManagePersonalViews | Create, change, and delete personal views of lists. |
| Open | Allow users to open a Web site, list, or folder to access items inside that container. |
| OpenItems | View the source of documents with server-side file handlers. |
| UpdatePersonalWebParts | Update Web Parts to display personalized information. |
| ViewFormPages | View forms, views, and application pages, and enumerate lists. |
| ViewListItems | View items in lists, documents in document libraries, and view Web discussion comments. |
| ViewPages | View pages in a Web site. |
| ViewUsageData | View reports on Web site usage. |
| ViewVersions | View past versions of a list item or document. |
The full list is on msdn.
This is fantastic. Thanks a lot for posting this.
Thanks for this. You are a star. We are publishing customer portals using WSS 3.0 and the ability to restrict the access to People and Groups was desperately needed.