locked
Security concern on anonymous access enabled list RRS feed

  • Question

  • HI Guys,

    As you may know, to enable anonymous user to submit data to a list. We need to enable anonymous access with Add and View permissions to the list.

    My question is, by doing this, would there be a way for anonymous user to retrieve all data in that list?

    For example, you have a contact us list that takes data from a form that anonymous user submits. But you definitely do not want all anonymous users to be able to see all items in the contact us list, as some of them might be confidential.

    As far as I know, there are two ways to get list data. One is DispForm.aspx, which uses default masterpage that requires login. So this is not a problem. Another way is to use list.asmx. I assume if we can set _vti_bin to logded in users only. There will be no issue there neither.

    I am wondering if there is other ways that some bad anonymous users can retrieve items from the list.

    Any ideas would be very much appreciated!

    Friday, November 25, 2011 10:35 AM

Answers

  • Allitems.aspx, Editform.aspx, custom code, or SharePoint Designer would be the only other ways.  Most of those would require that the user at least start out as an authenticated user.


    Paul Stork SharePoint Server MVP Chief SharePoint
    Architect: Sharesquared Blog: http://dontpapanic.com/blog
    Twitter: Follow @pstork
    Please remember to mark your question as "answered" if this solves your problem.
    • Marked as answer by vken Sunday, November 27, 2011 4:31 AM
    Saturday, November 26, 2011 12:55 PM

All replies

  • Anonymous access is by definition Anonymous access.  That means the user can see (and if edit is enabled edit) any item in the list.  If Anonymous access is turned on for the list then DispForm.aspx will NOT require authentication to display an item.
    Paul Stork SharePoint Server MVP Chief SharePoint
    Architect: Sharesquared Blog: http://dontpapanic.com/blog
    Twitter: Follow @pstork
    Please remember to mark your question as "answered" if this solves your problem.
    Friday, November 25, 2011 1:58 PM
  • Anonymous access is by definition Anonymous access.  That means the user can see (and if edit is enabled edit) any item in the list.  If Anonymous access is turned on for the list then DispForm.aspx will NOT require authentication to display an item.
    Paul Stork SharePoint Server MVP Chief SharePoint
    Architect: Sharesquared Blog: http://dontpapanic.com/blog
    Twitter: Follow @pstork
    Please remember to mark your question as "answered" if this solves your problem.

    Hi Paul,

     

    Thanks heaps for your reply. I fully understand what you said.

    I might not be very clear with my question. We've already found ways to block DispForm.aspx and list.asmx.

    My question was mainly around other ways for public users to retrieve list data. It would be very much appreciated if you can shed some lights on, except for DispForm.aspx and list.asmx, do public users have other ways to access list data?

    Thanks in advance!



    • Edited by vken Saturday, November 26, 2011 10:48 AM
    Saturday, November 26, 2011 10:45 AM
  • Allitems.aspx, Editform.aspx, custom code, or SharePoint Designer would be the only other ways.  Most of those would require that the user at least start out as an authenticated user.


    Paul Stork SharePoint Server MVP Chief SharePoint
    Architect: Sharesquared Blog: http://dontpapanic.com/blog
    Twitter: Follow @pstork
    Please remember to mark your question as "answered" if this solves your problem.
    • Marked as answer by vken Sunday, November 27, 2011 4:31 AM
    Saturday, November 26, 2011 12:55 PM
  • To add to this Lists.asmx web services and also be used here.

    I hope this will help you out.


    Thanks, Rahul Rashu
    Sunday, November 27, 2011 4:20 AM