Customizing and enhancing the security of a WSS 3.0/SharePoint 2007 site

I wanted to compare the capabilities of WSS 3.0 (Sharepoint 2007) to host forum-like discussions, blogs and wiki’s. After I’d developed my site, there were items that were visible to anonymous and standard users that I felt were inappropriate. I wanted information to be visible or not based upon the users role. Such as the ability to view lists of People and Groups. I’ve worked in several businesses where exposing customer names to all users is a violation of customer agreements. IMHO, this is a serious oversight in Microsoft’s implementation.

After I did a good bit of research, experimentation and learning I was able to change the security using the SPSecurityTrimmedControl. Here is how I restricted access to some portions on my Sharepoint Site.

WSS 3.0 provides a control SPSecurityTrimmedControl that allows the conditional rendering of content based on a users permission. Using this control, I was able to restrict who would be shown People and Groups on my site.  To do this I modified the people.aspx and the groups.aspx files for my site.

A word of caution: I have no doubt that when applying a future service pack, Microsoft will overwrite my changes. Therefore I’m managing my changes externally from the Microsoft SharePoint directory. This will allow me to difference new code from Microsoft and reapply my changes.


people.aspx
The file people.aspx resides in the \Program Files\Common Files\Microsoft Shared\web server extensions\12\TEMPLATE\LAYOUTS folder. It lists the persons in the site. After I made a backup copy, I opened the file in a text editor and located the start of the “PlaceHolderMain” asp:Content section and added the start of my permission change

before

<asp:Content contentplaceholderid="PlaceHolderMain" runat="server">
	<asp:PlaceHolder id="PanelAllPeople" runat="server">
	 <div class="ms-listdescription">

after

<asp:Content contentplaceholderid="PlaceHolderMain" runat="server">
<SharePoint:SPSecurityTrimmedControl runat="server" PermissionsString="ManagePermissions">
	<asp:PlaceHolder id="PanelAllPeople" runat="server">
	 <div class="ms-listdescription">

I located the end of the “PlaceHolderMain” asp:Content section and completed my permission change.

before

	<asp:HyperLink id="LnkCallTo" runat="server"
		Text="<%$SPHtmlEncodedResources:wss,people_callbuttontext%>"
		style="visibility:hidden;display:none"
		NavigateUrl="callto:" />
</asp:Content>

after

	<asp:HyperLink id="LnkCallTo" runat="server"
		Text="<%$SPHtmlEncodedResources:wss,people_callbuttontext%>"
		style="visibility:hidden;display:none"
		NavigateUrl="callto:" />
</SharePoint:SPSecurityTrimmedControl>
</asp:Content>

I also located the modifed the “PlaceHolderLeftNavBar” asp:Content and made the similar changes as above to require the user to have ManagePermissions as well.


groups.aspx
The file group.aspx resides in the \Program Files\Common Files\Microsoft Shared\web server extensions\12\TEMPLATE\LAYOUTS folder. It lists the groups in the site. After I made a backup copy, I opened the file in a text editor and made the same “PlaceHolderMain” asp:Content section changes as I had to people.aspx.


Overview of SPSecurityTrimmedControl

The SPSecurityTrimmedControl conditionally renders the included contents only when the current user has the permissions defined by the PemissionsString.
An example requiring the user to have “ManagePermissions”:

<Sharepoint:SPSecurityTrimmedControl runat="server" PermissionsString="ManagePermissions">
<!--
...
... code being managed ...
...
-->
</SharePoint:SPSecurityTrimmedControl>

Here are some of the values for the PermissionsString

Permissions String Description
AddAndCustomizePages Add, change, or delete HTML pages or Web Part Pages, and edit the Web site using a Windows SharePoint Services–compatible editor.
AddDelPrivateWebParts Add or remove personal Web Parts on a Web Part Page.
AddListItems Add items to lists, add documents to document libraries, and add Web discussion comments.
ApproveItems Approve a minor version of a list item or document.
BrowseDirectories Enumerate files and folders in a Web site using Microsoft Office SharePoint Designer 2007 and WebDAV interfaces.
BrowseUserInfo View information about users of the Web site.
CancelCheckout Discard or check in a document which is checked out to another user.
CreateAlerts Create e-mail alerts.
CreateGroups Create a group of users that can be used anywhere within the site collection.
DeleteListItems Delete items from a list, documents from a document library, and Web discussion comments in documents.
DeleteVersions Delete past versions of a list item or document.
EditListItems Edit items in lists, edit documents in document libraries, edit Web discussion comments in documents, and customize Web Part Pages in document libraries.
EditMyUserInfo Allows a user to change his or her user information, such as adding a picture.
EnumeratePermissions Enumerate permissions on the Web site, list, folder, document, or list item.
ManageAlerts Manage alerts for all users of the Web site.
ManageLists Create and delete lists, add or remove columns in a list, and add or remove public views of a list.
ManagePermissions Create and change permission levels on the Web site and assign permissions to users and groups.
ManagePersonalViews Create, change, and delete personal views of lists.
Open Allow users to open a Web site, list, or folder to access items inside that container.
OpenItems View the source of documents with server-side file handlers.
UpdatePersonalWebParts Update Web Parts to display personalized information.
ViewFormPages View forms, views, and application pages, and enumerate lists.
ViewListItems View items in lists, documents in document libraries, and view Web discussion comments.
ViewPages View pages in a Web site.
ViewUsageData View reports on Web site usage.
ViewVersions View past versions of a list item or document.

The full list is on msdn.

[ad#ad-4]

Be Sociable, Share!
This entry was posted in .NET, SharePoint, WSS and tagged , , , , , , , , . Bookmark the permalink.
  • http://www.nilanka.com Nilanka Perera

    This is fantastic. Thanks a lot for posting this.

  • http://www.acis.uk.com Andrew Hines

    Thanks for this. You are a star. We are publishing customer portals using WSS 3.0 and the ability to restrict the access to People and Groups was desperately needed.