Friday, August 31, 2007

Security trimmed SiteSettings page

A couple of days ago I posted about the "Manage web site" option in the "User Permissions for Web Application" section of the Central Admin. If we unchecked that option we saw that a lot options disappeared in the Site Settings page for users who have Full Control and this was the desired case in our environment. Unfortunately a lot of unexpected errors occurred because of the removal of permissions. Not only the permissions were removed from the users but also from the service accounts on which SharePoint runs. So the conclusion was to enable it again to maintain functionality and just have to deal with less strictly managed sites.

But! Today I found the solution.. it seems that the Site Settings page is just a feature as well and you know what you can do with links that are controlled by features.. Yes! You can security trim them! So in order to remove the links from the Site Settings page you just open the sitesettings.xml (\12\TEMPLATE\FEATURES\SiteSettings) and the following bit to each link : 'RequireSiteAdministrator="TRUE"'

So the 'Site Features' link (one of which we don't want the user to play with) looks like this:

<CustomAction
        Id="ManageSiteFeatures"
        GroupId="SiteAdministration"
        Location="Microsoft.SharePoint.SiteSettings"
        RequireSiteAdministrator="TRUE"
    Rights="ManageWeb"
        Sequence="80"
        Title="$Resources:SiteSettings_ManageSiteFeatures_Title;">
        <UrlAction
            Url="_layouts/ManageFeatures.aspx" />
    </CustomAction>

 

And here is the tricky part.. at least.. it feels really tricky.. you will have to uninstall the site settings feature using STSADM and install it again for the settings to take effect

STSADM -o uninstallfeature -name sitesettings
STSADM -o installfeature -name sitesettings

There you have it! A trimmed Site Settings page without having to unchecking the 'Manage WebSite' option. Although with URL hacking you can get there ofcourse so it's not really bulletproof (although, you can edit the .aspx pages and put a SPSecurityTrimmedControl around it)

3 comments:

Anonymous said...

try this http://msdn2.microsoft.com/en-us/library/ms948916.aspx

sam from chicago

Zimberg said...

Sam, that article doesn't have anything to do with this article.

Yeah, you could hack the SiteSettings.xml file in the SiteSettings feature, and you could edit all of the application pages you don't want your users to go to by adding a security trimming control, but both the SiteSettings feature and those application pages are central to the whole farm. So you'd have to make these changes to each WFE server, they aren't deployable or retractable, and they will affect all web applications on the farm.

Out of the box SharePoint has really left me disappointed with the default infrastructure. Trying to do simple things is a lot more difficult than it should be because of things like centralized application pages pointed to by a virtual directory instead of ghosting them or even copying them for each web app.

Robin Meuré said...

Hi Zimberg,

this is a very old post.. I won't recommend doing it again to be honest. Since it's not supported to modify out-of-the-box files.

I think at this time I would recommend to write a feature that hides the links in the SiteSettings by using the HideCustomAction elements http://msdn.microsoft.com/en-us/library/ms465980.aspx