Författararkiv: Johannes Milling

SharePoint 2010 Security Breach: Export to Excel Ignores Security Trimming

I’m currently working on a project where there are lists where permissions are broken and set on the list item level. Basically there are different groups of users, and some should see all items, and some should only be able to view a fiew of them. Now, all of these users have contribute, and can use the ‘Export to Excel’ function, which is very important to them. Now here is the issue I found out just a few days ago. Export to Excel ignores security trimming!

So what does this actually mean? Let me illustrate using a fictional example:

I have a list called Accounts, where I store important information about clients and the business I have with them. Some accounts are secret, so I break the permission inheritance on them. Let’s say I have three accounts, A, B and C. Account A is secret, and I’m the only one who has permissions to view it. Now, I have a group of colleagues, who also have access to the Accounts list, and can contribute to it. But when they visit the list, they can’t see Account A, since I have removed their permissions from it. Now what happens when one of my colleagues use the Export to Excel function? You would think that the generated Excel file would only contain accounts B and C. But no! The export function ignores the permissions of the user and only checks if the user has permissions to acces the function itself. The result is the user being able to see account A as well, giving it access to information that should be hidden.

In my opinion, this has to be regarded as a bug, because if this is by design, it’s poor design indeed.

EDIT:
I tested this in SharePoint 2013, and the bug seems to be fixed. Will try and see if there is a hotfix or CU fixing this issue for SP 2010.

EDIT2:
After installing the July 2014 CU for SharePoint Server 2010, I can confirm that the bug is not fixed. It has to have been fixed for SP 2013 only.

Programmatically move a SPListItem to another folder in the same list

I had a hard time finding a good source for this, and therefore decided to write a short post about it.

First of all, I want to say that I am against the use of folders unless you absolutely need them. They add unnecessary complexity, and you can have the benefits of folders without many of the drawbacks by using metadata instead, for example with managed metadata fields. However, as there are no OOTB (out of the box) way of handling permissions for a group of items based in their metadata, folders MIGHT be useful for that purpose. There are other solutions though.

Now to the task at hand, moving a SPListItem based on it’s metadata, and then moving it to a subfolder in the same list. In my example, I will be moving the item in an event receiver.

What we need to do is to check the SPFileSystemObjectType of the SPListItem. This value will actually be File, even it it’s not a document library. Regular list items will also return object type File. This is only needed if you don’t want to move folders the same way.

This code assumes you have already got your SPListItem:

Then we need to get the file object of the item. The file object will exist even if the list is not a library, and this code will work for documents and list items alike.

Then we want to build the new destination path were the item will be moved to. The path should follow the pattern: “<web url>/<list rootfolder url>/<subfolder>/<item Id>._000″

And lastly, we simply call the SPFile.MoveTo method on our file object, and add the destination path.

And that’s it. Put this in an ItemAdded function in an event receiver for a list and items will automatically be moved to the correct folder. Below is my complete example where I also make sure the folder exist before moving the item.

Sources:

http://zhebrun.blogspot.se/2011/06/sharepoint-how-to-move-listitem-or.html

 

Programmatically create, setup and use a custom Site Policy

On a current project I got the task to implement a solution for pushing out Site Policies to team sites. The common way of doing this is by using a Content Type Hub, which there are several blogs and guides available explaining how to do. But in this case this was not an option, and I had to be able to do it programmatically.

Finding examples of how to create a custom Site Policy wasn’t very hard, but what I soon discovered was that hardly any of these actually explained how to setup the schema of the policy the way you wanted. They just explained how to create one and maybe even set it to be used on a given site. And the object model itself isn’t complete enough to let you set everything using code. Eventually I found one single blog post by Dragan Panjkov which showed how to set it up, and managed to get it to work.

Site Policies are actually hidden content types, which you can tell by some parts of the creation process.The creation of the policies are actually pretty simple, and can be done with a few lines of code. First of all, you need reference the InformationPolicy namespace, like so:

The second thing we do is getting the ProjectPolicy content type, which is (according to it’s own description) the “Container content type for Project Policy definitions”.
Note: The code assumes you already have an SPSite object called site.

The content type id in the code above is always the same, and is the id of the content type “Project Policy”.

Then you can create your own content type using Project Policy as the parent.

The next step is to setup the content type with the schema you want to use. For this there is no object model support. You have to write your own xml, which is a real pain. But the great post by Dragan gave a great solution on how to do this.

Setup a Site Policy the way you want it on a site in the browser. Open the site in SharePoint Manager and go to the Content Types collection. There will be a content type with the same name as the policy you just created. Click the content type and scroll down to the XmlDocuments property. Open that collection and copy the value of the <pp:ProjectPolicy> property.

policyschema

You will get an xml string, which you can copy and reuse to create your new policy schema. Doing so is simple. With the same content type object you have created previously, delete the existing project policy XmlDocument using the name from the xml.

Then load your copied xml string into a new XmlDocument object, and add that to the XmlDocuments collection of your content type, and updated it.

When this is done, all that’s left is to create a Policy, using your content type.

And that’s it. You’ve created your own Site Policy, with a custom schema, and all through code.

To apply the custom policy, simply get the policy object using the ProjectPolicy class, and run the ApplyProjectPolicy method.

I’ve added a simple PolicyService class on GitHub Gist. Feel free to copy and use it if you want. Some tweaks may be necessary. =)

Resources:

http://blog.dragan-panjkov.com/archive/2013/10/27/configuring-site-policy-in-sharepoint-2013-using-server-code.aspx

How to reference nested class or struct etc, in PowerShell

I had a problem trying to reference a struct inside a public class from PowerShell. I tried to do it just like in C#, only with PowerShell syntax, simply adding the nested class or struct in the namespace, separated by a dot.

Doesn’t work:

But this didn’t work. Instead I got the following error:
Unable to find type [MyProject.MyClass.MyClassStruct]: make sure that the assembly containing this type is loaded.”

It seems, after fiddling around a bit and doing a quick search, that PowerShell has it’s very own way of calling a nested class or struct. Instead of adding the nested class with a dot, you actually have to use a +, like this:

Works:

I don’t know why, but that’s the way you do it. =)

Resources:

http://stackoverflow.com/questions/14141690/special-use-of-plus-sign-in-powershell