Securitate SharePoint List / Document Bibliotheca Videtur Disputatio (quaedam) Possibile jQuery

Hoc est aliud post in mea in-ingressus series in uti mauris cum SharePoint.
Sis commodo lorem ipsum, Ego altus suadeo: commodo in Actionis per Ursus Bibeault et Yehuda Katz.

One of the first things I thought, once I started to play around with jQuery, was whether we could use it to secure a SharePoint view. The answer is “no” (or at least, I’m not claiming it’s possible). Autem, it is certainly possible to make it difficult for people to see a particular view.

I started with my sandbox environment when working on this. I wrote about that environment here: Vivos et Securus: Creare tua Suas commodo Sandbox enim SharePoint.

To “secure” a view, follow these steps:

  1. Create a view you want to secure. I did that and called it “Secured View”.

    This is what it looks like when it’s not “secured”:

    image

  2. Add a content editor web part to the view’s page using the trick described in the sandbox article (i.e. add “PageView=Shared&ToolPaneView=2” to the URL).
  3. Figure out your SharePoint _spUserId by following these crazy steps, believe or not:
    1. Log into your SharePoint environment.
    2. In the web browser’s address field, typus: “javascript:alert(_spUserId”).
    3. Record the result (it’s “13” in my case).

      image

  4. Add the following javascript to your CEWP in code view:

    <scriptor
        type =,,en,"../../jQuery Library/jquery-1.3.2.min.js,,en,sujith Krish,,en,Nonne vidisti, quod addit in CEWP editform.aspx ut conteram versionem ad paginam principem et notitia ostendit sectionem in III,,en,Quis hoc workarounds,,en,Aliquis,,en"text/javascript"
        src ="../../jQuery Library/jquery-1.3.2.min.js">
    </script>
    
    <script typus ="text/javascript">
      $(munus() {
    
        alert(_spUserId);
    
        var theSecuredView = $('iframe[FilterLink*=Secured View]');
    
        si ((theSecuredView.length > 0) && (_spUserId == 13))
          $('iframe[FilterLink*=Secured View]').parentis().parentis().parentis().html("<tr = rubrum bgcolor><td>No view for you!</td></tr>");
      });
    
    </script>
    

I’ve included that alert(_spUserId) line in there to demonstrate how this is not really a “securing” a view, but simply making it more difficult to see. More on that in a moment.

Basically, jQuery is looking for an iFrame on the page who has an attribute that contains “Secured View” in its value. Once it finds it, we check to see if the current user is “13”. If it is, we walk up the DOM to a <TR> tag (which I figured out by viewing source and tracing it) and then replacing that TR tag with my message. I really don’t know how robust this is (I’m very suspicious, in facto), but it worked in my sandbox. If I find a better way, I’ll blog about it. This is the result:

image

I click the OK button and the data is replaced with a big red message:

image

As you can tell, the way I’ve implement this “security” solution is to allow the web part to render itself. After it finishes, I overwrite its content with my “No view for you!” message.

Despite the fact that it’s not really a “secured’” view, it’s potentially useful and with some clever work, it may eventually be securable in a more formal sense. The fundamental issue is that the client is getting all the data and then, only after it gets the data, it wipes it out. If the client is getting the data, a clever user can prevent the jQuery from running at all and see what he/she wants to see.

There are other drawbacks. This “security” approach is based off a _spUserId. We’d want to really secure based on the full SharePoint security model, or at least by user name. That becomes progressively harder, but I see some good stuff written on this subject, so I’m hopeful there’s a good answer to that problem.

The list of views themselves should be trimmed, si fieri potest,. I haven’t tried to figure that out. I assume it’s possible, but doesn’t really solve the fundamental security issue because someone could still just type the URL of the view they want (if they knew it). Autem, trimming makes sense. It’s a good usability feature and it helps to obfuscate things. If an end user doesn’t know that the view event exists, they probably won’t try to use it. Aliquando, that’s good enough.

With luck, I’ll have more to write on this subject over time.

</finem>

Scribet ad mea blog.

Sequi me in Twitter ad http://www.twitter.com/pagalvin

Aliquam

Tua inscriptio electronica non editis. Velit sunt insignis *