Blog Site in Anonymous Use

December 22 2010 14 comments

Anonymous user cannot enter a blog entry in a SharePoint site if ViewFormPagesLockDown feature is active at site collection level and ViewFormPagesLockDown feature is active if site collection is based on publishing portal. After googling we came accross plenty of resources considering this matter:

We didn’t want use the solutions suggested in the links above. To disable the ViewFormPagesLockDown “…leaves you wide open from a security perspective…”. To have our blog site in another site collection. Well that’s just not what we want to do to solve this tiny little thing with permissions.

Me and Aapo dug with reflector into ViewFormPagesLockDown feature and found out what the feature receiver does.

The highlighted sections of the feature receiver show what happens to Guest’s permissions at rootweb level when you disable ViewFormPagesLockDown site collection level feature.

So why not just take the solution from where it is and develop a web scoped feature which does the exactly same thing to the blog site but not to all webs in the site collection because that’s not what we want.

Develop a feature receiver as follows:

using System;
using Microsoft.SharePoint;

namespace My.Assembly
{
    public class FormPagesLockDownReleaseReceiver : SPFeatureReceiver
    {
        public override void FeatureActivated(SPFeatureReceiverProperties
        properties)
        {
            using (var web = (SPWeb)properties.Feature.Parent)
            {
                var anonymousState = web.AnonymousState;
                // continue only if anonymous use is enabled
                if (anonymousState == SPWeb.WebAnonymousState.Disabled)
                    return;
                web.AllowUnsafeUpdates = true;
                 // break inheritance to set permissions per site
                web.RoleDefinitions.BreakInheritance(true, true);
                // permission granting from LockDownViewFormPages
                var byType = web.RoleDefinitions.GetByType(SPRoleType.Guest);
                byType.BasePermissions |= SPBasePermissions.EmptyMask |
                SPBasePermissions.ViewFormPages;
                byType.BasePermissions |= SPBasePermissions.UseRemoteAPIs;
                byType.Update();
                // reset the anonymous state programmatically
                web.AnonymousState = SPWeb.WebAnonymousState.Disabled;
                web.AnonymousState = anonymousState;
                web.Update();
                web.AllowUnsafeUpdates = false;
            }
        }
    }
}

Resetting the anonymous state is just a thing you would have to do from UI when you toggle permissions. Lockdown Mode in SharePoint 2010: “If anonymous is already setup, you may need to disable\re-enable anonymous on the site.”

Then a web scoped feature that consumes the receiver:

<?xml version="1.0" encoding="utf-8" ?>
<Feature  
  Id="{6189C7B4-6FDC-4BAA-95FD-03DD318031E5}"
  Title="Blog Anonymous Access Staplee"
  Description="Enables Anonymous Access to Blog Entries"
  Scope="Web"
  ReceiverAssembly="My.Assembly,
  Version=1.0.0.0,
  Culture=neutral,
  PublicKeyToken=e3e48257ada349c4"

  ReceiverClass="My.Assembly.FormPagesLockDownReleaseReceiver"
  Hidden="FALSE"
  xmlns="http://schemas.microsoft.com/sharepoint/">
</Feature>

You could set the feature hidden to avoid accidental feature activations.

Then a stapling mechanism at site collection level to staple the feature to Blog sites by default.

Stapling.xml

<?xml version="1.0" encoding="utf-8" ?>
<Elements xmlns="http://schemas.microsoft.com/sharepoint/">
  <!--BLOG#0-->
      <!--Staple FormPagesLockDownReleaseReceiver to Blog sites -->
      <FeatureSiteTemplateAssociation
    Id="6189C7B4-6FDC-4BAA-95FD-03DD318031E5"
    TemplateName="BLOG#0" />
</Elements>
<?xml version="1.0" encoding="utf-8" ?>
<Feature
    Id="{7DF309A4-7E3B-488A-9D2A-F3B88D656465}"
    Title="Blog Anonymous Enabling Stapler"
    Description="Staples Anonymous Access to Created Blog Sites"
    Version="1.0.0.0"
    Scope="Site"
    xmlns="http://schemas.microsoft.com/sharepoint/"
    ActivateOnDefault="FALSE">
    <ElementManifests>
        <ElementManifest Location="Stapling.xml" />
    </ElementManifests>
</Feature>

Voila, you have a mechanism to allow viewing form pages only in blog sites when you activate the stapler feature at site collection level. Of course, if you want, you could even set the needed permissions at list level in the Blog site, I suppose, but that’s not what we’ve done here.

Popularity: 4% [?]

14 comments to “Blog Site in Anonymous Use”

  1. [...] Blog Site in Anonymous Use (SharePoint Blues) Anonymous user cannon enter a blog entry in a SharePoint site if ViewFormPagesLockDown feature is active at site collection level and ViewFormPagesLockDown feature is active if site collection is based on publishing portal. After Googling we came across plenty of resources considering this matter:  [...]

  2. [...] Blog Site in Anonymous Use (SharePoint Blues)Anonymous user cannon enter a blog entry in a SharePoint site if ViewFormPagesLockDown feature is active at site collection level and ViewFormPagesLockDown feature is active if site collection is based on publishing portal. After Googling we came across plenty of resources considering this matter: [...]

  3. Thomas Carpe says:

    Yes, this is exactly what I needed! Thanks guys for having a similar mentality and just digging right into the guts of SharePoint to cut it open, do some surgery, and “staple” it back together again. ;-) You saved my day.

  4. [...] a post and see the details. They were being prompted to log in. After some looking around I found this great post from Juha Pitkänen. It turns out that there is a ViewFormPagesLockDown feature that gets activated [...]

  5. blog IT says:

    I used to be very happy to seek out this internet-site.I needed to thanks in your time for this excellent learn!! I undoubtedly having fun with each little bit of it and I have you bookmarked to take a look at new stuff you weblog post.

  6. DarkS0ul says:

    Hello,
    I am still new to SharePoint programming and hence “Then a web scoped feature that consumes the receiver” threw me off a bit. Would it be possible to share the source code so I can better understand each step, thank you so much.

  7. Antonietta says:

    With havin so much written content do you ever run into any issues of plagorism
    or copyright violation? My site has a lot of completely unique content I’ve either written myself or outsourced but it looks like a lot of it is popping it up all over the web without my agreement. Do you know any methods to help protect against content from being stolen? I’d truly appreciate it.

  8. I am regular visitor, how are you everybody?
    This piece of writing posted at this site is really pleasant.

    Here is my homepage … most effective Male enhancement Product

  9. Launa says:

    You can definitely see your expertise within the article you write.
    The sector hopes for even more passionate writers
    like you who aren’t afraid to mention how they believe. All the time go after your heart.

  10. videoporno says:

    I would like to thank you for the efforts you’ve put in writing this website.
    I am hoping to see the same high-grade blog posts by you later on as well.
    In truth, your creative writing abilities has encouraged
    me to get my own, personal blog now ;)

  11. youtube.com says:

    You can transform yourself to the male of their choice according to
    their personality type. Most of the time the client is not aware of these
    habits, and it requires some real work on my part just to convince them that they exist in the first place.
    Real understanding of women gives you a distinct
    advantage over guys have no clue.

    Here is my webpage – Christian Hudson (youtube.com)

Leave a Reply