Freigeben über


Drawing the Curtain: Removing Access to the Site Settings Page for non-Administrative Users

 

NOTE:  In this article, I discuss making some changes to SharePoint which are unsupported by Microsoft.  As an employee within the Support realm, I want to stress that the CheckPermissions() solution below is currently unsupported by Microsoft -- if you make the change, you are on your own.  :)  That said, I have gone ahead and discussed some of the ramifications of making the change, because I think that the solution is a good one despite its being unsupported.  In short -- you've been warned.

 

You might have noticed that authenticated users granted Reader access to a SharePoint site also have access to the Site Settings page:  _layouts/<LCID>/settings.aspx.  Although these users will typically have no rights to access any of the pages linked therein, it might be desirable to remove access to the settings.aspx page altogether, so that non-Administrative users don't even have the option to see what can be done from an administrative perspective.  Honestly, I'm really not sure why this page is able to be viewed by non-Administrative users to begin with, but that's irrelevant;  it is viewable, and I want to change that.

 

I have two options, one supported and one unsupported

 

1)  Somewhat complicated, but supported:  write a wildcard-mapped ISAPI extension

 

2)  Simple, but strictly not supported:  drop a CheckPermissions() call onto the settings.aspx page

 

I've covered both of these options in more detail below:

 

*****

 

ISAPI Extension

 

Although writing an ISAPI extension isn't a particularly simple task, and requires knowledge of C++ programming, etc., it is a possible (and supported) solution.  Essentially, I would need to create an wildcard-mapped ISAPI extension that examined each request.  I would start by checking the requested URL by looking in the VTI_SCRIPT_NAME server variable.  If that request was for a _layouts page (settings.aspx in particular), my ISAPI extension could check the authentication type and/or authentication user from the server variables (AUTH_TYPE, and AUTH_USER). 

 

If, for example, the AUTH_USER server variable were blank, the ISAPI extension could redirect by posting a 302 Redirect to some other URL -- including, for example, a custom error page somewhere.

 

The IIS SDK includes ISAPI extension samples, including a wildcard-mapped ISAPI extension sample.  Here's a link to the Platform SDK Update site, where you can obtain any of the various platform SDK modules:

 

https://www.microsoft.com/msdownload/platformsdk/sdkupdate/

 

I would start with the WildcardMap sample provided in the SDK (...\Microsoft SDK\Samples\web\iis\ISAPI_6.0\WildCardMap).  This sample is specifically designed to capture *every* request.  To use this with IIS, I'll need to register the built ISAPI extension within IIS. 

 

NOTE: With Windows Server 2003 and with SharePoint Portal Server (or Windows SharePoint Services), there are some additional steps required to get the ISAPI extension functioning, which I cover below.

 

Once built, I can simply open up the IIS management console, right-click the web site I want to register the ISAPI with to get the web site properties, and choose the "Home Directory" (or "Virtual Directory" if this is a virtual directory rather than a web site) tab. 

 

Click the "Configuration..." button to open the "Application Configuration" dialog.  Under the "Wildcard application maps" section, choose "Insert..." and enter the path to my built DLL (or choose "Browse..." to find it).  IMPORTANT:  to use an ISAPI extension with Sharepoint, I must UN-check the "Verify that file exists" checkbox.

 

Apply all of those changes to the web site or virtual directory.

 

Next, in IIS management console, I select "Web Server Extensions."  This will bring up a list of the allowed and prohibited extensions.  I'll need to click on "Add a new Web service extension..." give the Extension a name, provide a link to the built DLL, and set the status to "Allowed."

 

At that point, my ISAPI extension should be ready to work.

 

CheckPermissions()

 

There *is* an alternative workaround, which -- unfortunately -- is not supported by Microsoft.  If I open one of the various administrative ASPX pages in Visual Studio.NET (or Notepad, for that matter) and view the code, I can see that there is an explicit check for role-based permissions.  For example, in User.ASPX, which is located at x:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\60\Template\Layouts\1033\user.aspx, the line of code which checks permissions looks like this:

 

=====

<% spWeb.Permissions.CheckPermissions(SPRights.ManageRoles); %>

=====

 

This line checks to see if the current user has the ManageRoles right.  If so, the user is allowed to view the page;  if not, the user is prompted for authentication.  In contrast, the Settings.aspx page -- the first that a user sees after clicking on "Site Settings" in a WSS site -- contains no such permissions check.

 

The SPRights enumeration is covered in the MSDN Library at the location below:

 

=====

SPRights Enumeration

=====

 

This enumeration contains various rights that can be assigned to a user.  For example, the ViewPages right allows a user to view pages within a WSS Site.  It would be possible -- though, again, not supported -- to add a line of code like the one above to the various administrative settings pages that you wanted to restrict to Administrative users only.  For instance, if I wanted to restrict access to the Settings.aspx page only to users who have the ManageWeb right, I could include the following line of code in settings.aspx (existing/surrounding code included for reference, new code in bold):

 

=====

SPWeb spWeb = SPControl.GetContextWeb(Context); %>

<% spWeb.Permissions.CheckPermissions(SPRights.ManageWeb); %>

<HEAD>

=====

 

With this code in place, when a user attempts to go to the settings.aspx page, Sharepoint will check to see if they have the ManageWeb right;  if so, they can view the page -- if not, they'll be denied access and prompted for credentials.

 

The big caveat, as I've mentioned, is that this solution is not supported by Microsoft.  We do not support making any direct modifications to the code used in any of the pages in the LAYOUTS directory.  What this means is that if you were to apply this change and later were to run into any problems on your server, Microsoft PSS would require that the change be rolled back before any assistance could be given.  Additionally, Microsoft has reserved the right to overwrite any of the default (out-of-the-box) files located in the LAYOUTS directory in any future service packs or updates.  Such an overwrite would wipe out changes, so I would need to be aware of the changes that I've made so that I could re-implement in such a case.

 

*****

 

There is one scenario in which this isn't an issue:  Anonymous access over the internet.  If I have setup a SharePoint site to allow anonymous authentication, and a user browses to my site, they can view pages such as default.aspx just fine.  As soon as they attempt to view settings.aspx, though, they will be prompted.  Because the user is not on my domain, Windows Integrated authentication cannot negotiate authentication to settings.aspx, and the user will be prompted.

Comments

  1.      .       ,     .
  2.    .     -     .
  3.    .      (, , , ). : http://www.akwadrat.ru/ E-mail: Ra_Design@List.ru   ,   .
  • Anonymous
    May 03, 2007
    I found lots of intresting things here. Please more updates.

  • Anonymous
    May 04, 2007
    I found lots of intresting things here. Please more updates.

  • Anonymous
    May 04, 2007
    Good Work dude! I will visit your website again.

  • Anonymous
    May 06, 2007
    Frankly, the way things are right now, I'm not sure I'd want to play myself in my very own movie of the week.

  • Anonymous
    May 06, 2007
    Looks great! I found lots of intresting things here. Please more updates.

  • Anonymous
    May 06, 2007
    Ja Krevetko! http://buncootcprilosec.iwannaforum.com/ <a href='http://buncootcprilosec.iwannaforum.com/'> bunco otc prilosec </a>

  • Anonymous
    May 06, 2007
    I found lots of intresting things here. Please more updates.

  • Anonymous
    May 07, 2007
    Ja Krevetko! http://buncootcprilosec.iwannaforum.com/ <a href='http://buncootcprilosec.iwannaforum.com/'> bunco otc prilosec </a>

  • Anonymous
    May 07, 2007
    This is really fresh idea of the design of the site! I seldom met such in Internet. Good Work dude!

  • Anonymous
    May 12, 2007
    Hi Lucy! Photos i received, thanks!!!

  • Anonymous
    May 13, 2007
    Great site and excellent resource you have. I think it's very cool. I will visit your website again. Thank you!

  • Anonymous
    May 13, 2007
    Very good website you have here, After the visit I put my step in to your guestbook.

  • Anonymous
    May 15, 2007
    Great site and excellent resource you have. I think it's very cool. I will visit your website again. Thank you! http://valium1.blogcu.com/ Buy Valium

  • Anonymous
    May 15, 2007
    http://matress.iespana.es/foam-mattress-pads.html http://matress.iespana.es/tempurpedic-mattress-pad.html http://matress.iespana.es/eclipse-le-grand-mattress.html

  • Anonymous
    May 15, 2007
    Nice design. Please add more smiles to your guestbook :)  Please more updates. http://valium1.blogcu.com/ Buy Valium

  • Anonymous
    May 16, 2007
    I found lots of intresting things here. Please more updates. http://valium1.blogcu.com/ Buy Valium

  • Anonymous
    May 16, 2007
    If you listen to the Matrix soundtrack on your Ipod, or perhaps a fun song, your life automatically becomes a movie. http://valium1.blogcu.com/ Buy Valium

  • Anonymous
    May 18, 2007
    This is really fresh idea of the design of the site! I seldom met such in Internet. Good Work dude!

  • Anonymous
    May 18, 2007
    Nice site. Very useful contents. I've been looking for information for a long time, and I've found it exactly here. Thank you

  • Anonymous
    May 18, 2007
    I have already enjoy your website, and it is so nice and cool. I will visit your website again. Thank you

  • Anonymous
    May 20, 2007
    What a good site! I think it wasnt easy to post here so much information. Thank you, I will add it to my bookmarks

  • Anonymous
    May 20, 2007
    Good Work dude! I will visit your website again.

  • Anonymous
    May 21, 2007
    Dear Friend! Halo! <a herf=http://nail-designtv-show.cammoza.info>nail-designtv-show.cammoza.info&#36948;</a> [url=http://shirt-design.cammoza.info/]shirt-design[/url] <a herf=http://cammoza.info>cammoza.info&#36948;</a> My Regards!

  • Anonymous
    May 23, 2007
    Looks great! I found lots of intresting things here. Please more updates.

  • Anonymous
    May 23, 2007
    Very good website you have here, After the visit I put my step in to your guestbook.

  • Anonymous
    May 27, 2007
    What a good site! I think it wasnt easy to post here so much information. Thank you, I will add it to my bookmarks

  • Anonymous
    May 27, 2007
    Looks great! I found lots of intresting things here. Many thanks.

  • Anonymous
    May 28, 2007
    Hey! This is really your Work?! Cool! I never earlier did not see sites like this! Tnx!

  • Anonymous
    May 28, 2007
    This is really fresh idea of the design of the site! I seldom met such in Internet. Good Work dude!

  • Anonymous
    May 28, 2007
    Your site is very very cool !! I love it :) Respect !

  • Anonymous
    May 29, 2007
    <a href= http://xigozy.angelfire.com >a business decision</a> <a href= http://fatoso.angelfire.com >a 5 drop forwards</a> <a href= http://pohofu.angelfire.com >aaway messages</a> <a href= http://gukogi.angelfire.com >a change of pace lyric loose lip sink ship</a> <a href= http://wedovu.angelfire.com >a way to carry on again</a>

  • Anonymous
    June 01, 2007
    Very good website you have here, After the visit I put my step in to your guestbook.

  • Anonymous
    June 01, 2007
    Looks great! I found lots of intresting things here. Please more updates.

  • Anonymous
    June 01, 2007
    Site - very comprehensive and meticulous from all sides, its good! Just excellent website, I sure! http://caverta1.blogcu.com/3011326/ Buy Caverta Online

  • Anonymous
    June 02, 2007
    Hi Webmaster! It was a pleasure to look through this site! there is a lot of new and fresh ideas)!Thank You

  • Anonymous
    June 04, 2007
    Hi Webmaster! It was a pleasure to look through this site! there is a lot of new and fresh ideas)!Thank You

  • Anonymous
    June 04, 2007
    "It's not because of fate, it's because of Tequila"  That may be the best thing I have ever read in my whole life!

  • Anonymous
    June 04, 2007
    Frankly, the way things are right now, I'm not sure I'd want to play myself in my very own movie of the week.

  • Anonymous
    June 04, 2007
    Site - very comprehensive and meticulous from all sides, its good! Just excellent website, I sure!

  • Anonymous
    June 06, 2007
    Looks great! I found lots of intresting things here. Please more updates.

  • Anonymous
    June 09, 2007
    nice site! http://idisk.mac.com/dtd4/Public/ http://pumacartshoes.iespana.es

  • Anonymous
    June 09, 2007
    Hi Guys! What Your Blog Powered By?  Keep up the great work!