I see London, I see France… (Properly Securing Your Public Sites Part 2)

In my previous post, I talked about the ViewFormPagesLockDown feature. This removes the ViewFormsPages and UseRemoteAPIs permissions for guests across an entire site collection. This is a great thing if that’s what you intend to do, but occasionally you might want to do the same thing for a subset of your site. You could use code similar to that shown in the previous post using a single list instead of a site collection or you can do it using the user interface (an option not available for whole site collection scenario).

In SharePoint, a Permission Level is a named set of permissions. You can see the permission levels, by selecting Settings|Permission Levels on the Site Permissions page as shown below.

The MOSS publishing infrastructure features create a permission set named Restricted Read that allows users to view individual items, but denies them the ViewFormsPages permission. You can easily create your own permission to do the same thing. When you create the permission level, simply check View Items and SharePoint will take care of the rest.

Unfortunately, there is one big gotcha with this (using the browser – remember, you can set it with code) where anonymous access is concerned. To learn what it is, and one way to fix it, see this post.

I configured the Photos list on this blog using the View Items permission level.

You should see all the figures, but be unable to browse the photos list. If you click the link, you will see an Access Denied error.