Monday, May 24, 2010

Security trimmed list views with ease!

I didn’t know how if this could be done, so I did what came natural.  Poke around 'til I finally get an answer.  Usually I end up with a dead-end but today, I definitely found something of value.  It’s a lot more simple than what I originally thought.  Tools needed: SharePoint Designer and Notepad.  This could all be done within SPD but since it crashes on me, I tend to take my code offline, then paste it back into SPD, right before saving.

So where do we start?  How about cracking open the list that you’d like to create a secure view on.  I needed a way to create a secure view of a Gantt Chart and mash it up with a few other lists.  So since I didn’t know how to make a Gantt chart with a DVWP, I poked around a little.  I created a Gantt Chart view using the GUI.  When you save the view, there is a .aspx page that shows up within the Folder Navigation.  My custom view is cleverly called, PersonalViews.aspx


Once this view is created, you can open the page up and *reuse* all of that code somewhere else…  So, since I already have a Benchmarking Doc Library that uses custom permissions,  this will be a perfect place for my PersonalViews.aspx page.  After opening the page, click over to the code view and select all of the code.  This is where Notepad comes into play.  I take all of that code and paste it directly into a fresh Notepad .txt file.  That way I have all of that code within another program…  Just a preference, but we all have our ways ;-).  With all of that code, we can now navigate the GUI and delete the view we created.  There’s no need for it anymore and it’s best to delete the view within the GUI.  I’m not sure what happens if you just delete the .aspx page, but to be safe, use the GUI.  Why are we deleting what we just created?  Doesn’t that defeat the purpose?  NO!  We have all of the code that’s needed in Notepad, remember?  What we need to do now is create a new .aspx page within SPD.  I deleted all of the auto generated code:


We don’t need any of that gunking up our new view.  Now copy all of the code from Notepad into the code view of the .aspx page.  When this page renders, it’ll give you a nasty looking error:

SPD - ListViewError

I thought this was a show stopper, until I saved it in my secure location: Benchmarking Doc Library.  Here only the owners of the site are allowed to view.  I’ve tested logging in as many different users and even if they are allowed to view the Benchmarking Doc Library, if they don’t have explicit rights to this aspx page, they’ll get security trimmed.  List Views can now be security trimmed!!!  Also, you’ll notice within your list, the drop-down for all of the views has a new view.  It’s called whatever you named your aspx page.  However, when someone without rights to the page clicks on the view from the drop down, they’ll soon realize they are in the wrong spot:

Access Denied Error

If you use this and find more purposes for this, please drop a comment.  I’d like to hear about it.


Chad said...

I cannot seem to get this to work...all that comes up on the new site is a blank page...any ideas?

Matt B. said...

I probably should update this post.

Can you create the view, then in SPD cut and paste the page it creates into the Document Library? That'll save you a few steps and give you the same result. Make sure when you create the view, you create a public view, not a personal one.

Chad said...

Yes, I got all of that to work...I guess one question is, does it have to be pasted in the same site? I am trying to paste it into a new site so I can control the permissions more easily...

Chad said...

I think I answered my own worked when I saved it to the Shared Documents in the same site...guess I can jsut create a folder and control permissions through that...

Matt B. said...

Unfortunately, pasting the page into a different site will not work. You'll want to use DVWP's for something like that and build the charts using XSLT. Sounds like work eh?

If you create a folder and apply permissions to that, you'll be golden.

Chad said...

Worked like a charm...still have to test their rights, but seems to work. Thanks for the help!!!

Frank said...

Hi Matt,
I would like to try this in a document library. I work in a military hospital and some of the clinics would like to save some documents and excel sheets with information (SSN, home numbers, etc). I’m going to place a folder in a library to see if this will work. I’m always looking for ways to uses SharePoint. We are using MOSS 2007 for our Intranet.

@iOnline247 said...

I just tweeted something similar earlier today:

Even if you lock these down in a folder, you also have to make sure the transmission of that data is secure too. Since you work in the military, I can almost be 100% sure that's not a problem. Double check your site and make sure it's using SSL. However, given the nature of the data you are looking to store, you may want to look at alternate methods. Without knowing your whole setup, I really can't recommend what to do.