Limit parts of page or DataForm WebPart to the ones with rights

January 17th, 2009 | Categories: SharePoint, XSLT

If you see any SharePoint page anonymously, you can see only the items you’re supposed to see. If we as visitors have no rights to see certain site, it’s not displayed. Also if any elements of a list or a document library has specific permissions not to be available for public, we can’t see it.

SharePoint has a very good Security model, which we can use (yes, and even without visual Studio). We can set to display certain parts of page or DFWP based on rights the visiting user has. For example: If we have a special part that only the users that have the right to edit, can see, we’d wrap it in a conditional formatting tag with a condition ddwrt:IfHasRights(4)

Only Editors can see this text!
 

The number 4 in the example above represents the editing right. You’ll find all available rights permissions in the table below. The example above is good for hiding the “Edit” button.

You can make the same outside of a WebPart. But you need to use different kind of tag to nest the protected content in:

Only 
Editors can see this text!


Use the example above anywhere on the webpage outside of a webpart. As we can see this time the permission is defined with a string instead of number. For this tag to be working, don’t forget to register the SharePoint tagprefix before with

<%@ Register tagprefix="SharePoint" namespace="Microsoft.SharePoint.WebControls" 
assembly="Microsoft.SharePoint, Version=12.0.0.0, Culture=neutral,
PublicKeyToken=71e9bce111e9429c" %>

 
(in SharePoint’s default master page it’s already added). You’re probably asking which are the values. Thanks to Ian Morrish I’ve found the whole set. (the strings for PermissionString are quite self-descriptive)

SPSecurityTrimmedControl ddwrt:IfHasRights
ViewListItems 1
AddListItems 2
EditListItems 4
DeleteListItems 8
ApproveItems 16
OpenItems 32
ViewVersions 64
DeleteVersions 128
CancelCheckout 256
PersonalViews 512
ManageLists 2048
ViewFormPages 4096
Open 65536
ViewPages 131072
AddAndCustomizePages 262144
ApplyThemeAndBorder 524288
ApplyStyleSheets 1048576
ViewUsageData 2097152
CreateSSCSite 4194314
ManageSubwebs 8388608
CreateGroups 16777216
ManagePermissions 33554432
BrowseDirectories 67108864
BrowseUserInfo 134217728
AddDelPrivateWebParts 268435456
UpdatePersonalWebParts 536870912
ManageWeb 1073741824
UseRemoteAPIs 137438953472
ManageAlerts 274877906944
CreateAlerts 549755813888
EditMyUserInfo 1099511627776
EnumeratePermissions 4611686018427387904
FullMask 9223372036854775807

 

There are some considerations you should take in mind:

1. This doesn’t work on “System” pages – in _layouts folder

2. This is chekcing the security against the actual page you’re viewing (if you put the spsecuritytrimmedcontrol in a masterpage it will check ivisitors permissions on a page he’s viewing, not on a masterpage).

Oznake ponudnika Technorati: ,,