Customizing and enhancing the security of a WSS 3.0/SharePoint 2007 site

david — Fri, 09 Jan 2009 04:00:14 +0000

I wanted to compare the capabilities of WSS 3.0 (Sharepoint 2007) to host forum-like discussions, blogs and wiki’s. After I’d developed my site, there were items that were visible to anonymous and standard users that I felt were inappropriate. I wanted information to be visible or not based upon the users role. Such as the ability to view lists of People and Groups. I’ve worked in several businesses where exposing customer names to all users is a violation of customer agreements. IMHO, this is a serious oversight in Microsoft’s implementation.

After I did a good bit of research, experimentation and learning I was able to change the security using the SPSecurityTrimmedControl. Here is how I restricted access to some portions on my Sharepoint Site.

WSS 3.0 provides a control SPSecurityTrimmedControl that allows the conditional rendering of content based on a users permission. Using this control, I was able to restrict who would be shown People and Groups on my site. To do this I modified the people.aspx and the groups.aspx files for my site.

A word of caution: I have no doubt that when applying a future service pack, Microsoft will overwrite my changes. Therefore I’m managing my changes externally from the Microsoft SharePoint directory. This will allow me to difference new code from Microsoft and reapply my changes.

people.aspx
The file people.aspx resides in the \Program Files\Common Files\Microsoft Shared\web server extensions\12\TEMPLATE\LAYOUTS folder. It lists the persons in the site. After I made a backup copy, I opened the file in a text editor and located the start of the “PlaceHolderMain” asp:Content section and added the start of my permission change

before

^?View Code XML

 contentplaceholderid="PlaceHolderMain" runat="server">
	 id="PanelAllPeople" runat="server">
	  class="ms-listdescription">

after

^?View Code XML

 contentplaceholderid="PlaceHolderMain" runat="server">
 runat="server" PermissionsString="ManagePermissions">
	 id="PanelAllPeople" runat="server">
	  class="ms-listdescription">

I located the end of the “PlaceHolderMain” asp:Content section and completed my permission change.

before

^?View Code XML

	 id="LnkCallTo" runat="server"
		Text="<%$SPHtmlEncodedResources:wss,people_callbuttontext%>"
		style="visibility:hidden;display:none"
		NavigateUrl="callto:" />
>

after

^?View Code XML

	 id="LnkCallTo" runat="server"
		Text="<%$SPHtmlEncodedResources:wss,people_callbuttontext%>"
		style="visibility:hidden;display:none"
		NavigateUrl="callto:" />
>
>

I also located the modifed the “PlaceHolderLeftNavBar” asp:Content and made the similar changes as above to require the user to have ManagePermissions as well.

groups.aspx
The file group.aspx resides in the \Program Files\Common Files\Microsoft Shared\web server extensions\12\TEMPLATE\LAYOUTS folder. It lists the groups in the site. After I made a backup copy, I opened the file in a text editor and made the same “PlaceHolderMain” asp:Content section changes as I had to people.aspx.

Overview of SPSecurityTrimmedControl

The SPSecurityTrimmedControl conditionally renders the included contents only when the current user has the permissions defined by the PemissionsString.
An example requiring the user to have “ManagePermissions”:

^?View Code XML

 runat="server" PermissionsString="ManagePermissions">

>

Here are some of the values for the PermissionsString

Permissions String	Description
AddAndCustomizePages	Add, change, or delete HTML pages or Web Part Pages, and edit the Web site using a Windows SharePoint Services–compatible editor.
AddDelPrivateWebParts	Add or remove personal Web Parts on a Web Part Page.
AddListItems	Add items to lists, add documents to document libraries, and add Web discussion comments.
ApproveItems	Approve a minor version of a list item or document.
BrowseDirectories	Enumerate files and folders in a Web site using Microsoft Office SharePoint Designer 2007 and WebDAV interfaces.
BrowseUserInfo	View information about users of the Web site.
CancelCheckout	Discard or check in a document which is checked out to another user.
CreateAlerts	Create e-mail alerts.
CreateGroups	Create a group of users that can be used anywhere within the site collection.
DeleteListItems	Delete items from a list, documents from a document library, and Web discussion comments in documents.
DeleteVersions	Delete past versions of a list item or document.
EditListItems	Edit items in lists, edit documents in document libraries, edit Web discussion comments in documents, and customize Web Part Pages in document libraries.
EditMyUserInfo	Allows a user to change his or her user information, such as adding a picture.
EnumeratePermissions	Enumerate permissions on the Web site, list, folder, document, or list item.
ManageAlerts	Manage alerts for all users of the Web site.
ManageLists	Create and delete lists, add or remove columns in a list, and add or remove public views of a list.
ManagePermissions	Create and change permission levels on the Web site and assign permissions to users and groups.
ManagePersonalViews	Create, change, and delete personal views of lists.
Open	Allow users to open a Web site, list, or folder to access items inside that container.
OpenItems	View the source of documents with server-side file handlers.
UpdatePersonalWebParts	Update Web Parts to display personalized information.
ViewFormPages	View forms, views, and application pages, and enumerate lists.
ViewListItems	View items in lists, documents in document libraries, and view Web discussion comments.
ViewPages	View pages in a Web site.
ViewUsageData	View reports on Web site usage.
ViewVersions	View past versions of a list item or document.

The full list is on msdn.

David's technobabble » security

Customizing and enhancing the security of a WSS 3.0/SharePoint 2007 site