1,804 articles and 14,937 comments as of Thursday, May 19th, 2011

EndUserSharePoint has combined resources with NothingButSharePoint.com. You can now find End User (Mark Miller), Developer (Jeremy Thake) and IT Pro SharePoint content all in one place!

This site is a historical archive and is no longer being updated. Please update your favorites, bookmarks and RSS feeds.

NothingButSharePoint.com
Friday, June 19, 2009

Securing SharePoint List/Document Library Views Seems (sort of) Possible with jQuery

This is another post in my on-going series on how to use jQuery with SharePoint.

If you want to learn more about jQuery, I highly recommend: jQuery in Action by Bear Bibeault and Yehuda Katz.

One of the first things I thought, once I started to play around with jQuery, was whether we could use it to secure a SharePoint view.  The answer is “no” (or at least, I’m not claiming it’s possible).  However, it is certainly possible to make it difficult for people to see a particular view. 

I started with my sandbox environment when working on this.  I wrote about that environment here: Quick and Easy: Create Your Own jQuery Sandbox for SharePoint.  

To “secure” a view, follow these steps:

  • Create a view you want to secure.  I did that and called it “Secured View”.
  • This is what it looks like when it’s not “secured”:


    List or Document Library View

  • Add a content editor web part to the view’s page using the trick described in the sandbox article (i.e. add “PageView=Shared&ToolPaneView=2” to the URL).
  • Figure out  your SharePoint _spUserId by following these crazy steps, believe or not:
  1. Log into your SharePoint environment.
  2. In the web browser’s address field, type: “javascript:alert(_spUserId”).
  3. Record the result (it’s “13” in my case).
  4. List or Document Library View

  5. Add the following javascript to your CEWP in code view:

 

I’ve included that alert(_spUserId) line in there to demonstrate how this is not really a “securing” a view, but simply making it more difficult to see.  More on that in a moment.

Basically, jQuery is looking for an iFrame on the page who has an attribute that contains “Secured%20View” in its value.   Once it finds it, we check to see if the current user is “13”.  If it is, we walk up the DOM to a <TR> tag (which I figured out by viewing source and tracing it) and then replacing that TR tag with my message. I really don’t know how robust this is (I’m very suspicious, in fact), but it worked in my sandbox.  If I find a better way, I’ll blog about it. This is the result:

List or Document Library View

I click the OK button and the data is replaced with a big red message:

List or Document Library View

As you can tell, the way I’ve implement this “security” solution is to allow the web part to render itself.  After it finishes, I overwrite its content with my “No view for you!” message.

Despite the fact that it’s not really a “secured’” view, it’s potentially useful and with some clever work, it may eventually be securable in a more formal sense.  The fundamental issue is that the client is getting all the data and then, only after it gets the data, it wipes it out.  If the client is getting the data, a clever user can prevent the jQuery from running at all and see what he/she wants to see.

There are other drawbacks.  This “security” approach is based off a _spUserId.  We’d want to really secure based on the full SharePoint security model, or at least by user name.  That becomes progressively harder, but I see some good stuff written on this subject, so I’m hopeful there’s a good answer to that problem.

The list of views themselves should be trimmed, if possible.  I haven’t tried to figure that out.  I assume it’s possible, but doesn’t really solve the fundamental security issue because someone could still just type the URL of the view they want (if they knew it).  However, trimming makes sense.  It’s a good usability feature and it helps to obfuscate things.  If an end user doesn’t know that the view event exists, they probably won’t try to use it.  Sometimes, that’s good enough.

With luck, I’ll have more to write on this subject over time.

Paul Galvin, MVPPaul Galvin, Microsoft MVP – SharePoint
Web site: Paul Galvin’s SharePoint Space

Paul is a Solutions Architect currently working most closely with Microsoft Office SharePoint Server 2007. He was recently awarded Microsoft MVP – SharePoint status for his work with the SharePoint community.

View all entries in this series: PaulGalvin - Quick and Easy jQuery»
 

Please Join the Discussion

12 Responses to “Securing SharePoint List/Document Library Views Seems (sort of) Possible with jQuery”
  1. If the point is to secure data of the view (and not just hide the view itself), never do it this way. All the data is still loaded and can be seen simply using View-Source to get at the data/iframe source, or captured using a tool like Fiddler. Maybe call it “targeted view” rather than “secured view”.

  2. Alex Angas says:

    I’m also very uneasy with the use of the word ’secure’ in the UI. It really should be ‘hidden’.

  3. Paul Galvin says:

    I think I made it clear it’s not a security solution, but I do like the word “hidden”.

    I intend to extend this to make it more “secure” but jQuery alone probably isn’t the solution for a truly secure approach. It would be better to remove the view from the drop down list, but that’s not good enough since a user can still type the actual URL of that view into the browser.

    It’s certainly true that the data is still there in the browser’s view source (at leaset for me, running IE 8), but this is what I see:

    Icon=”icgen.gif||” OType=”0″ COUId=”" HCD=”" CSrc=”" MS=”0″ CType=”Item” CId=”0×0100D46D148276014A4986BA65D0DF85D71D” UIS=”512″ SUrl=”">Any old title.Default me!Hide me!<a onfocus=”OnLink(this)” href=”/jQuerySandbox/Lists/Data%20Entry%20Form/DispForm

    The data is there but it’s not easy for a non-technical person to parse.

    Again, I agree, this is not a security solution.

    I don’t know if it’s possible to produce a truly secured view. It would be nice to achieve that. If you have any ideas, please post!

    –Paul Galvin

  4. Christophe says:

    Paul: I agree with the first comment of this post (and this was also my very first comment on Twitter).
    You don’t make it clear that it’s not a security solution, starting with the title of the post. I find this dangerously misleading.
    How about using terms like “audience targeting” instead?

  5. Paul Galvin says:

    The second graph of the article is:

    ===
    One of the first things I thought, once I started to play around with jQuery, was whether we could use it to secure a SharePoint view. The answer is “no” (or at least, I’m not claiming it’s possible). However, it is certainly possible to make it difficult for people to see a particular view.
    ===

    The walk-through itself clearly demonstrates that the data is exposed.

    Short of removing the word “security” altogether from this post, I don’t know what else I could do to reduce the risk that someone might accidentally think this is a truly secure approach to the problem.

  6. Stacy Spear says:

    I think Paul made it pretty clear that this is not a security solution. He did state that multiple times.

    I think this could be accomplished by stopping inherited permissions on the item/page/list in question and removing everyone that you don’t want to have access to the information.

  7. Christophe says:

    @Stacy: yes, he did state multiple times that it was not a security solution. But yes, he also stated up front – in the title – that securing seemed (sort of) possible. And yes, he also called his view “Secured View”. So: no, he didn’t make it pretty clear.

    Honestly, what’s the point of using the term “secure”, if you must then spend the rest of the post explaining that it actually has nothing to do with security?

  8. Zacharias says:

    haven’t read all the comments, so I don’t know if somebody already contributed this…

    If the purpose of this is to not show a portion of the list (e.g. some columns should only be viewed by admins) you can accomplish the same thing with no code at all.

    Symply:
    - create all the views you need.
    - Upload these views as listview web parts on web part pages.
    - Store this web part pages in libraries with unique permissions.
    - create a link list so that users can navigate to appropriate pages (Admins to admin pages, regular users to regular pages)
    - and finally, on the initial list, edit the page that holds the default view and hide the web part. That way users wont be able to select the existing views.

    * this is not a perfect solution either, only a workaround.

  9. Steve Ruiz says:

    Yeah this is a pretty badly worded post. It’s a minor curiosity if anything. Why even waste the time trying to do this? Just implement it correctly.

    Doing any “security” related task on the client? Are you serious?

  10. Ricky Singh says:

    The Other option is having two webparts on the default view page and then use Target Audiences. Have two groups one for Owners and one for Contributors. Add that list or library webpart to the default view page and that webpart will not be having the view toolbar,so use Contributors group for the target audiences and the main webpart that have the view toolbar, use owners group for target audiences. This way you can have two webparts on the same view page and all the users will see their respective webpart and this way we do not need to create custom links in the navigation as only one link will work for both the contributors and Owners and the sharepoint security will show the appropriate webpart. The only flaw with this method will be that the users can edit the page through the URL (if they know the url, which is very easy to find for technical people) and view the content of the other webpart.

  11. Matt Bramer says:

    As an alternative, you can follow the steps that I wrote up that will allow you to secure views.

    http://mattbramer.blogspot.com/2010/05/security-trim-list-views-with-ease.html

Trackbacks

Check out what others are saying about this post...
  1. [...] Securing SharePoint List/Document Library Views Seems (sort of) Possible with jQuery One of the first things I thought, once I started to play around with jQuery, was whether we could use it to secure a SharePoint view. The answer is “no” (or at least, I’m not claiming it’s possible). However, it is certainly possible to make it difficult for people to see a particular view. (tags: sharepoint2007 jQuery development list security customize) [...]




Notify me of comments to this article:


Speak and you will be heard.

We check comments hourly.
If you want a pic to show with your comment, go get a gravatar!