Restrict access to _layouts pages RRS feed

  • Question

  • Hi,


    I am doing some Sharepoint site development using MOSS 2007. On the left hand navigation, menu items such as 'View all site content' and 'Documents' and so on are visible. When clicking on these items, it takes the user to pages that are in the _layouts directory.


    Now, as these pages use a different master page (application.master) to the rest of my site, I want to restrict access to them unless the user is an Administrator. How do I turn off such menu items through the use of permissions? I cannot simply hide them (through modifying navigation within site settings) as they must be visible to the Administrator.


    Modifying application.master to give the entire site a consistent look and feel is not an option as I have a lack of time in this phase of the project.


    Any help would be appreciated.


    Thanks in advance,


    Tuesday, August 7, 2007 2:02 AM


All replies

  • Rohan,


    The way Permission works is through SPSecurityTrimmedControl. if you look at default.master page you will see this code around View all site contents. <SharepointTongue TiedPSecurityTrimmedControl runat="server" PermissionsString="ViewFormPages">. PermissionString comes from Site permisson level. Like this

    List Permissions
    Site Permissions


    Personal Permissions
    Now who ever has a permission at site level to viewformpages will be able to see view site content links and who does not will not. So to solve your issue you need to create is a new pemission level with no rights to viewformpages. Then create a Group and give that group the new permission levels which you created and then add users in that group.
    Hope this helps
    Tuesday, August 7, 2007 2:48 PM
  • There is another way but it does end up stopping all access and that is by removing the link from the master page.


    All sub pages within a site (such as recycle bin and forms) use generic masters which it is best not to mess with but the defalt master renders the quick launch. So...open up the master page (either in sharepoint designer or download it and open in a web dev tool like front page) and cut out the follwoing code:



    <div class="ms-quicklaunchheader"><SharePointTongue TiedPLinkButton id="idNavLinkViewAll" runat="server" NavigateUrl="~site/_layouts/viewlsts.aspx" Text="<%$Resources:wss,quiklnch_allcontent%>" AccessKey="<%$Resources:wss,quiklnch_allcontent_AK%>"/></div>


    The problem here of course is that this link is now removed for all users to the site, but remember it will still be possible for admin (Owners) to view all site content by going in via sub menus through 'Site Actions'.


    Incidentally, I am a very much a beginner with sharepoint, so this might be a bad idea with knock on implications…so I am open to further advice and suggestions on this.





    Thursday, September 20, 2007 11:09 AM
  • I think you could have a look at the Lock Down feature meant for hiding the _layouts pages from anonymous users. If the logic you find there isn't sufficient you could try implementing your custom HttpHandler. It's quite straigth forward and I think it would allow you to solve your problem.

    Wednesday, November 7, 2007 12:18 PM
  • I've just started developing for WSS 3.0 and needed to do exactly the same thing.

    We first tried removing the 'View All Forms' permission from the user's group but that impacted on other things so we needed a more granular solution.

    We ended up changing the value of the PermissionString attribute for the relevant control in the default.master page to 'ManageWeb' using Sharepoint Designer.

    Worked a treat for us.

    Thanks for your list of permission strings Ayub. I couldn't find these anywhere else and I wouldn't have been able to come up with my solution without them!!
    Thursday, July 24, 2008 1:35 PM