If you see any SharePoint page anonymously, you can see only the items you’re supposed to see. If we as visitors have no rights to see certain site, it’s not displayed. Also if any elements of a list or a document library has specific permissions not to be available for public, we can’t see it.
SharePoint has a very good Security model, which we can use (yes, and even without visual Studio). We can set to display certain parts of page or DFWP based on rights the visiting user has. For example: If we have a special part that only the users that have the right to edit, can see, we’d wrap it in a conditional formatting tag with a condition ddwrt:IfHasRights(4)
<xsl:if test=”ddwrt:IfHasRights(4)”>Only Editors can see this text!</xsl:if>
The number 4 in the example above represents the editing right. You’ll find all available rights permissions in the table below. The example above is good for hiding the “Edit” button.
You can make the same outside of a WebPart. But you need to use different kind of tag to nest the protected content in:
<Sharepoint:SPSecurityTrimmedControl runat="server" PermissionsString="EditListItems">Only
Editors can see this text!</Sharepoint:SPSecurityTrimmedControl>
Use the example above anywhere on the webpage outside of a webpart. As we can see this time the permission is defined with a string instead of number. For this tag to be working, don’t forget to register the SharePoint tagprefix before with
<%@ Register tagprefix="SharePoint" namespace="Microsoft.SharePoint.WebControls"
assembly="Microsoft.SharePoint, Version=12.0.0.0, Culture=neutral,
PublicKeyToken=71e9bce111e9429c" %>
(in SharePoint’s default master page it’s already added). You’re probably asking which are the values. Thanks to Ian Morrish I’ve found the whole set. (the strings for PermissionString are quite self-descriptive)
| SPSecurityTrimmedControl | ddwrt:IfHasRights |
|---|---|
| ViewListItems | 1 |
| AddListItems | 2 |
| EditListItems | 4 |
| DeleteListItems | 8 |
| ApproveItems | 16 |
| OpenItems | 32 |
| ViewVersions | 64 |
| DeleteVersions | 128 |
| CancelCheckout | 256 |
| PersonalViews | 512 |
| ManageLists | 2048 |
| ViewFormPages | 4096 |
| Open | 65536 |
| ViewPages | 131072 |
| AddAndCustomizePages | 262144 |
| ApplyThemeAndBorder | 524288 |
| ApplyStyleSheets | 1048576 |
| ViewUsageData | 2097152 |
| CreateSSCSite | 4194314 |
| ManageSubwebs | 8388608 |
| CreateGroups | 16777216 |
| ManagePermissions | 33554432 |
| BrowseDirectories | 67108864 |
| BrowseUserInfo | 134217728 |
| AddDelPrivateWebParts | 268435456 |
| UpdatePersonalWebParts | 536870912 |
| ManageWeb | 1073741824 |
| UseRemoteAPIs | 137438953472 |
| ManageAlerts | 274877906944 |
| CreateAlerts | 549755813888 |
| EditMyUserInfo | 1099511627776 |
| EnumeratePermissions | 4611686018427387904 |
| FullMask | 9223372036854775807 |
There are some considerations you should take in mind:
1. This doesn’t work on “System” pages – in _layouts folder
2. This is chekcing the security against the actual page you’re viewing (if you put the spsecuritytrimmedcontrol in a masterpage it will check ivisitors permissions on a page he’s viewing, not on a masterpage).