SharePoint 2010 Security Breach: Export to Excel Ignores Security Trimming

I’m currently working on a project where there are lists where permissions are broken and set on the list item level. Basically there are different groups of users, and some should see all items, and some should only be able to view a fiew of them. Now, all of these users have contribute, and can use the ‘Export to Excel’ function, which is very important to them. Now here is the issue I found out just a few days ago. Export to Excel ignores security trimming!

So what does this actually mean? Let me illustrate using a fictional example: I have a list called Accounts, where I store important information about clients and the business I have with them. Some accounts are secret, so I break the permission inheritance on them. Let’s say I have three accounts, A, B and C. Account A is secret, and I’m the only one who has permissions to view it. Now, I have a group of colleagues, who also have access to the Accounts list, and can contribute to it. But when they visit the list, they can’t see Account A, since I have removed their permissions from it. Now what happens when one of my colleagues use the Export to Excel function? You would think that the generated Excel file would only contain accounts B and C. But no! The export function ignores the permissions of the user and only checks if the user has permissions to acces the function itself. The result is the user being able to see account A as well, giving it access to information that should be hidden. In my opinion, this has to be regarded as a bug, because if this is by design, it’s poor design indeed.

EDIT: I tested this in SharePoint 2013, and the bug seems to be fixed. Will try and see if there is a hotfix or CU fixing this issue for SP 2010.

EDIT 2: After installing the July 2014 CU for SharePoint Server 2010, I can confirm that the bug is not fixed. It has to have been fixed for SP 2013 only.

EDIT 3: It seems that security might be trimmed after all, only that it uses the current windows credentials rather than the account logged into SharePoint with. Please read Pierres great comment below. I have personally not tested this though.

Advertisements

Programmatically move a SPListItem to another folder in the same list

I had a hard time finding a good source for this, and therefore decided to write a short post about it.

First of all, I want to say that I am against the use of folders unless you absolutely need them. They add unnecessary complexity, and you can have the benefits of folders without many of the drawbacks by using metadata instead, for example with managed metadata fields. However, as there are no OOTB (out of the box) way of handling permissions for a group of items based in their metadata, folders MIGHT be useful for that purpose. There are other solutions though.

Now to the task at hand, moving a SPListItem based on it’s metadata, and then moving it to a subfolder in the same list. In my example, I will be moving the item in an event receiver.

What we need to do is to check the SPFileSystemObjectType of the SPListItem. This value will actually be File, even it it’s not a document library. Regular list items will also return object type File. This is only needed if you don’t want to move folders the same way.

This code assumes you have already got your SPListItem:

if (item.FileSystemObjectType == SPFileSystemObjectType.File)
{
 // Put the rest of code here.
}

Then we need to get the file object of the item. The file object will exist even if the list is not a library, and this code will work for documents and list items alike.

SPFile file = item.Web.GetFile(item.Url);

Then we want to build the new destination path were the item will be moved to. The path should follow the pattern: “<web url>/<list rootfolder url>/<subfolder>/<item Id>._000”

string filePath = string.Format("{0}/{1}_.000", "My Folder", item.ID);

And lastly, we simply call the SPFile.MoveTo method on our file object, and add the destination path.

file.MoveTo(filePath);

And that’s it. Put this in an ItemAdded function in an event receiver for a list and items will automatically be moved to the correct folder. Below is my complete example where I also make sure the folder exist before moving the item.

public override void ItemAdded(SPItemEventProperties properties)
{
 var item = properties.ListItem;
 var folderName = item["My Column"].ToString();
 var folderUrl = SPUtility.ConcatUrls(SPUtility.ConcatUrls(item.Web.Url, item.ParentList.RootFolder.Url), folderName);

 EnsureFolder(item.ParentList, folderName, folderUrl);

 MoveItemToFolder(item, folderUrl);
}

private static void EnsureFolder(SPList list, string folderName, string folderUrl)
{
 if (!list.ParentWeb.GetFolder(folderUrl).Exists)
 {
 SPListItem newFolder = list.Items.Add(list.RootFolder.ServerRelativeUrl, SPFileSystemObjectType.Folder, folderName);
 newFolder.Update();
 }
}

private static void MoveItemToFolder(SPListItem item, string folderUrl)
{
 if (item.FileSystemObjectType == SPFileSystemObjectType.File)
 {
 var filePath = string.Format("{0}/{1}_.000", folderUrl, item.ID);
 var file = item.Web.GetFile(item.Url);
 file.MoveTo(filePath);
 }
}

Sources:

http://zhebrun.blogspot.se/2011/06/sharepoint-how-to-move-listitem-or.html

 

Programmatically create, setup and use a custom Site Policy

On a current project I got the task to implement a solution for pushing out Site Policies to team sites. The common way of doing this is by using a Content Type Hub, which there are several blogs and guides available explaining how to do. But in this case this was not an option, and I had to be able to do it programmatically.

Finding examples of how to create a custom Site Policy wasn’t very hard, but what I soon discovered was that hardly any of these actually explained how to setup the schema of the policy the way you wanted. They just explained how to create one and maybe even set it to be used on a given site. And the object model itself isn’t complete enough to let you set everything using code. Eventually I found one single blog post by Dragan Panjkov which showed how to set it up, and managed to get it to work.

Site Policies are actually hidden content types, which you can tell by some parts of the creation process.The creation of the policies are actually pretty simple, and can be done with a few lines of code. First of all, you need reference the InformationPolicy namespace, like so:

using Microsoft.Office.RecordsManagement.InformationPolicy;

The second thing we do is getting the ProjectPolicy content type, which is (according to it’s own description) the “Container content type for Project Policy definitions”.
Note: The code assumes you already have an SPSite object called site.

var projectPolicyContentTypeId = new SPContentTypeId("0x010085EC78BE64F9478aAE3ED069093B9963");
var contentTypes = site.RootWeb.ContentTypes;
var parentContentType = contentTypes[projectPolicyContentTypeId];

The content type id in the code above is always the same, and is the id of the content type “Project Policy”.

Then you can create your own content type using Project Policy as the parent.

var policyContentType = new SPContentType(parentContentType, contentTypes, "My Site Policy");
policyContentType = contentTypes.Add(policyContentType);
policyContentType.Group = parentContentType.Group;
policyContentType.Description = "My Description.";
policyContentType.Hidden = true;
policyContentType.Update();

The next step is to setup the content type with the schema you want to use. For this there is no object model support. You have to write your own xml, which is a real pain. But the great post by Dragan gave a great solution on how to do this.

Setup a Site Policy the way you want it on a site in the browser. Open the site in SharePoint Manager and go to the Content Types collection. There will be a content type with the same name as the policy you just created. Click the content type and scroll down to the XmlDocuments property. Open that collection and copy the value of the <pp:ProjectPolicy> property.

policyschema

You will get an xml string, which you can copy and reuse to create your new policy schema. Doing so is simple. With the same content type object you have created previously, delete the existing project policy XmlDocument using the name from the xml.

policyContentType.XmlDocuments.Delete("http://schemas.microsoft.com/office/server/projectpolicy");

Then load your copied xml string into a new XmlDocument object, and add that to the XmlDocuments collection of your content type, and updated it.

var policySchema = new XmlDocument();
policySchema.LoadXml("Insert policy schema xml here.");
policyContentType.XmlDocuments.Add(policySchema);
policyContentType.Update();

When this is done, all that’s left is to create a Policy, using your content type.

Policy.CreatePolicy(policyContentType, null);

And that’s it. You’ve created your own Site Policy, with a custom schema, and all through code.

To apply the custom policy, simply get the policy object using the ProjectPolicy class, and run the ApplyProjectPolicy method.

var policy = (from projectPolicy in ProjectPolicy.GetProjectPolicies(web)
	where projectPolicy.Name.Equals("My Site Policy")
	select projectPolicy).Single();
ProjectPolicy.ApplyProjectPolicy(web, policy);

I’ve added a simple PolicyService class on GitHub Gist. Feel free to copy and use it if you want. Some tweaks may be necessary. =)

Resources:

http://blog.dragan-panjkov.com/archive/2013/10/27/configuring-site-policy-in-sharepoint-2013-using-server-code.aspx

How to reference nested class or struct etc, in PowerShell

I had a problem trying to reference a struct inside a public class from PowerShell. I tried to do it just like in C#, only with PowerShell syntax, simply adding the nested class or struct in the namespace, separated by a dot.

Doesn’t work:

$myProperty = [MyProject.MyClass.MyClassStruct]::MyProperty

But this didn’t work. Instead I got the following error:
Unable to find type [MyProject.MyClass.MyClassStruct]: make sure that the assembly containing this type is loaded.”

It seems, after fiddling around a bit and doing a quick search, that PowerShell has it’s very own way of calling a nested class or struct. Instead of adding the nested class with a dot, you actually have to use a +, like this:

Works:

$myProperty = [MyProject.MyClass+MyClassStruct]::MyProperty

I don’t know why, but that’s the way you do it. =)

Resources:

http://stackoverflow.com/questions/14141690/special-use-of-plus-sign-in-powershell

Automatic minifying of CSS (and LESS) and javascript using Web Essentials 2013 in Visual Studio 2013

We just recently started upgrading to Visual Studio 2013 in the project I’m currently working on, and with VS 2013 comes Web Essentials 2013, an extension that’s truly essential for web development.

Now, I like to use the LESS framework when writing CSS, and have been using Web Essentials 2012 for some time. One of the nice things about LESS and Web Essentials 2012 was that it automatically generates a minified version of the CSS file for you, and that’s pretty sweet.

Now, one of the first thing we noticed in VS 2013, was that modifying and saving our LESS files no longer generated a minified version of that file.

No mini

At first we thought it might be a bug, but when exploring the toolbar menu for Web Essentials (new to 2013), we found an interresting button:

Toolbar menu

Pressing this created a settings file and added it to the solution. In this file we found a number of awesome stuff. For example, you could turn the automatic generation of CSS files on and off. And even better, there was even an option to do the same for our javascript files!

Settings

Now we were getting our minified CSS files just like before, and also having the same behavior for our javascripts!

Yes mini

Before, we used another VS plugin for generating our minified javascripts, but now we no longer need to. Everything is taken care of using Web Essentials 2013, and modifying the settings file.

Perhaps the best thing about the created settings file is that it is automatically added as a solution file, and picked up by the source controller. So once configurated, we can just check in the file and let everyone in the team get the correct behaviour automatically.

Now, I may be ignorant of what was possible in 2012. Perhaps this settings file was available, and perhaps they had support for minifying javascripts. But since Web Essentials are now more visible than before (having its own toolbar menu), finding these features was easier, and took only a few minutes to figure out, without googling for help or reading any Product Updates info. And to me that’s pretty sweet! =)

Thoughts on SPC14

LV2_0001

So I attended the official SharePoint Conference in Las Vegas for the first time last week, and after a few days of contemplation I just want to try and summarize the experience and try to jot down some of the takeaways.

For an even better summary, check out my Colleague Anatoly’s summary over at Chuvash. =)

And while a lot of this may not be news, it’s still the impression I got from the conference. If it’s old news, it might just be a more clear sign that this is indeed the path Microsoft is on when it comes to SharePoint.

SharePoint and Office

So it’s been back and forth with SharePoint and Office since… well like forever. SP 2007 was called MOSS (Microsoft Office SharePoint Server), but then they removed SharePoint as a part of Office in 2010. Now they’re bringing it back, but of course (unless you haven’t noticed yet) as a part of the online version, Office 365 and SharePoint Online. Microsoft is (and this is not new for 2014) betting big on Office 365, and they aim to have SharePoint Online usage exceed SharePoint on premise usage by 2016. I won’t go in to a discussion on why you should or shouldn’t migrate to SharePoint Online, but it’s pretty clear what the Microsoft roadmap looks like. This was extremely obvious during the conference as the word SharePoint hardly appeared without an Office logo next to it, and many sessions were focused to SharePoint AND Office developers. The question is how well (or rather how fast) the SP community and businesses will accept and adopt it. What I do believe is no matter what you may feel about SharePoint Online and Office 365, everyone planning on using or developing SharePoint in the future have better to start learning the differences, and preparing on what a migration might require in the future. That said, there is still a lot happening with the platform, and it will probably have a lot less gaps in it in a year or two, as updates are pretty frequent.

App-solutely! (Oh no he didn’t!)

Bad jokes aside, the (SharePoint) Cloud App Model won’t just be a fluke, passing by if we just keep ignoring it. I know that a lot of developers (including myself) often get stuck on it’s flaws, and argue against using it in favor of our dear old sandboxed and farm solutions. But the planet of the apps is coming, and it’s not Microsofts “fault”. It’s just their version of a shift taking place in the entire space of web and application development. One of the main reasons (I think) for us developers having such trouble adopting it, is due to the fact that we once again have to handle a lot of things that were previously handled for us, like passing authentication tokens across domains and other tedious tasks. In short, it’s more difficult to develop some things using the App Model than using a good old visual webpart for example. But we need to learn how to do it, anyway. It’s not our choice, it’s not Microsofts choice (sort of). It’s just how it is.

AND… The App Model is still pretty new compared to “the good old stuff”, and it’s evolving all the time, as is the body of knowledge possessed by the SP community. It will get better, and easier to work with. For now, we just have to keep improving ourselves and learn all the new techniques and skills needed to be good little SP developers.

SharePoint is getting smaller

So we’ve seen it before. In SP 2013, a few services were cut loose, the recommendation to host them on individual servers. For example Office Web Apps (I know it was a separate product even in SP2010), Workflow Manager or Foundation or what’s it’s name, etc. This goes hand in hand with the architectural mindset of the App Model, and what’s happening in Office 365. Instead of having SharePoint as a big, bulky blob of a system slash platform slash product slash everything, Microsoft is taking the approach of detaching components from one another, having the possibility to connect them to each other instead. While this will require more configuration than before (just look at the Workflow engine), it provides a better architecture, providing better performance, stability, maintainability etc.

Side note: Developers can adopt this same mindset when building functions for their SharePoint portals, using the App Model. Building a function which runs separate from SharePoint, but is still used from within has a lot of benefits, and will go hand in hand with the path Microsoft is taking. So the next time you’re considering making yet another Visual WebPart, just give a few minutes of thought if it might not be better to build it as an app (and add about 500 % of development time to your project plan for learning how to build it, host it and use it).

SharePoint 2015

Yes there will be another SP on premises released in 2015. Will give us some more time to adapt to O365. Yay!

SharePoint Dev = Web Dev

Being a good SharePoint developer is more and more becoming being a good Web developer. While scary for some, it’s not a bad thing. It means that we may benefit from a larger developer community, with all the benefits it brings. Plus, being a web developer is cool. Like… hipster cool (or?).

Microsoft is also getting better at using standards and open source stuff regularly used by the web community. What about an Office 365 SDK for android on GitHub? And sessions this year have even promoted using javascript frameworks such as AngularJS developed by Google. I think our little boy is finally growing up. =)

Conference available for all

So the entire conferences sessions (I think) will be available on Channel 9 for all to see, both videos and presentations. While some (douchebags) whine about spending $$$ plenty on actually attending the conference needlessly, I say HORAY! Knowledge should be free. I like the sharing Microsoft better. =)

Here is a short list of sessions I attended which I think were awesome, or simply informative.

  • Developer audience keynote | What’s new for the Office & SharePoint developer (If you want to see what Microsoft wants)
  • SharePoint Power Hour – New developer APIs and features for Apps for SharePoint
  • Adjust the perspective with responsive designs for SharePoint
  • Build your own REST service with WebAPI 2
  • Apps, BCS, OData, Search and O365…Oh My
  • Site provisioning techniques with SharePoint apps
  • Deep dive: REST and CSOM comparison
  • Best practices for maintaining and updating a SharePoint App

LV1_0038

CHUVASH.eu

CHunky Universe of Vigourous Astonishing SHarepoint :)