Thursday, February 3, 2011
Coping DLL from the Global Assembly Cache
Wednesday, February 2, 2011
Control Anonymous User from Accessing Application Pages
I came across a requirement where the SharePoint site should be enabled for the anonymous users in the meantime, they should be restricted to view from the application pages. So first my choice was ViewLockDownFeature, shipped with SharePoint 2007 STSADM. I thought I saved the time by just enabling the feature would solve me the problem. Yes it solved me the problem but it spawned me another problem where the feature blocks the anonymous users navigate to the blog entries, since the blog entries are accessing the Lists directly and get the page contents.
Sample Url of blog
../myblog/Lists/Categories/Category.aspx?CategoryId=2&Name=Category 2
Workaround 1:
Setting the policy at web.config level.
<configuration>
<location path="_layouts/viewlsts.aspx ">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
</configuration>
For further information follow up here.
The problem in the above method is, if you want to block all the application pages and still wants the blog accessible to anonymous users, then you have to specify all the application page url.
Workaround 2:
Tweaking with Delegate control
SharePoint is a pool to play with delegate controls, where the winner is supposed to get a chunk of development time compared to other optional method.
Normally SharePoint delegate controls resides in Master page and Page layout as well as in Application Pages. First I delve into the delegate controls for the custom navigation control. This is the second time, where I observed that all the application pages are having the delegate control. So overriding the delegate control in the following manner will help you to implement your own policy to ranging from different user groups to different site, page and to url level.
public class AnonyousePolicy:UnsecuredLayoutsPageBase
{
protected override void OnLoad(EventArgs e)
{
if (System.Web.HttpContext.Current.Request.Url.PathAndQuery.IndexOf("_layouts/RedirectionModule/") > 0)
{
//Do Nothing as Anonymous users need to get that redirection available
}
else if (System.Web.HttpContext.Current.Request.Url.PathAndQuery.IndexOf("_layouts/", StringComparison.InvariantCultureIgnoreCase) > 0)
{
if (SPContext.Current.Web.CurrentUser == null)
{
// Anonymous user, prevent access
SPUtility.TransferToErrorPage("Anonymous users have no access to this page");
}
}
}
}
Conclusion : I feel the first method is a simple way to block the anonymous users, provided the accessibility is not restricted upon the user group and less number of application pages.
Second method is handy method is more flexible than the first method I hope !
Expect your feedback.