none
SharePoint folders with unique permissions accessible via URL RRS feed

  • Question

  • Hello! I'm pretty new to SharePoint 2010. I've been working on creating folders with unique permissions within a document library. I've created a workflow that automatically grants folder permissions to a certain group upon creation or modification. The document library and the folders within the library all have broken inheritance.

    The workflow I created seems to work as it should - when a user looks in the document library, they only see their group's folder. However, if the user tries accessing another group's folder via direct URL, they're able to see the folder webpage (though they can't access anything inside the folder). I'm not sure why this is happening since the folders are given unique permissions - shouldn't this prevent the user from seeing the other group's folder?

    I've noticed that it seems that the user having access to the document library (even if it's just Limited Access so they can reach their group's folder) seems to allow them to access ANY of the folders in the library using the folder URLs, even if the only folder that is visible to them is the folder for the group that they are in.

    For example, if I remove the user's group from the library's permissions, then they can't access any of the folders within the library (not even through a URL), nor the library itself. However, if I give the user permissions to access the library, then they seem to be able to access ANY of the folders in the library via direct URLs (even if the unique permissions for the folder don't include the user or the user's group) - definitely not something I want them to be able to do.

    Any advice on how to fix this? I've been searching for a solution for days but haven't found anything yet.


    • Edited by sabina.yim Wednesday, June 29, 2016 1:50 PM Fixed example problem
    Wednesday, June 29, 2016 1:41 PM

Answers

  • I think that is "by design". It allows for the example where a user does not have access to the folder (or even the library), but has been granted access to a document or subfolder inside of the folder.

    I don't know of any "fix" for this. The only idea I have is to add some JavaScript to the page that looks for a pattern (such as no items displayed and no "Add document" link) and redirects the user to some other destination.

     


    Mike Smith TechTrainingNotes.blogspot.com
    Books: SharePoint 2007 2010 Customization for the Site Owner, SharePoint 2010 Security for the Site Owner

    • Marked as answer by sabina.yim Tuesday, July 5, 2016 7:36 PM
    Thursday, June 30, 2016 3:40 AM
  • Hi,

    Yes, I have tested in my environment according to your description.

    If u2 dean tried to access folder “test1” by direct URL “site URL/Shared%20Documents/Forms/AllItems.aspx?RootFolder=%2Fsites%2Fdean%2FShared%20Documents%2Ftest1&FolderCTID=0x0120008815483B0685E6488311AF2CAFAC3B6C&View={57DC814C-E967-4823-B6AF-8884BB23B079}”, he would view folder “test3”.

    It seems that it’s by design. It’s not bad for security. Users can access folder they don’t have permission by direct URL, but they won’t view any files if they don’t have permission to files in this folder. They only can view files which they have enough permission.

    If you don’t want this, you can use document set as a workaround.

    http://blog.bonzai-intranet.com/analysthq/2012/06/documents-sets-vs-folders-in-sharepoint-2010/

    Thanks,

    Dean Wang


    TechNet Community Support
    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, July 4, 2016 6:11 AM
    Moderator

All replies

  • I think that is "by design". It allows for the example where a user does not have access to the folder (or even the library), but has been granted access to a document or subfolder inside of the folder.

    I don't know of any "fix" for this. The only idea I have is to add some JavaScript to the page that looks for a pattern (such as no items displayed and no "Add document" link) and redirects the user to some other destination.

     


    Mike Smith TechTrainingNotes.blogspot.com
    Books: SharePoint 2007 2010 Customization for the Site Owner, SharePoint 2010 Security for the Site Owner

    • Marked as answer by sabina.yim Tuesday, July 5, 2016 7:36 PM
    Thursday, June 30, 2016 3:40 AM
  • Hi,

    I have tested in my environment. I created two folders named “test1” and “test2” in Shared Documents library. User u3 dean has Full Control permission only to “test1” and user u2 dean has Full Control permission only to “test2”.

    If u2 dean tried to access folder “test1” by direct URL “site URL/Shared%20Documents/test1”, the Access Denied error would pop out.


    After that, I added a subfolder named “test3” under folder “test1”, and u2 dean has full permission to the subfolder. The Access Denied error would pop out if u2 dean tried to access subfolder “test3” by direct URL “site URL/Shared%20Documents/test1”.

    Could you please test by following my steps?

    Thanks,

    Dean Wang


    TechNet Community Support
    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.


    Thursday, June 30, 2016 5:25 AM
    Moderator
  • Hello Dean! Thanks for your response!

    When I try accessing with the URL "site URL/library name/folder name" then I get Access Denied as well.

    But the URLs that I've been testing don't look like that. I've been testing what happens when a user who does have access to the folder gives the folder URL to someone else who doesn't have access - these URLs are longer and include "RootFolder", "FolderCTID", "View", and a bunch of strings of letters and numbers. When I try with this URL, the user without access is able to get into the folder. Is this normal? If so, isn't it bad for security?


    • Edited by sabina.yim Thursday, June 30, 2016 12:50 PM make it clear who i'm responding to
    Thursday, June 30, 2016 12:45 PM
  • I think that is "by design". It allows for the example where a user does not have access to the folder (or even the library), but has been granted access to a document or subfolder inside of the folder.

    I don't know of any "fix" for this. The only idea I have is to add some JavaScript to the page that looks for a pattern (such as no items displayed and no "Add document" link) and redirects the user to some other destination.

    Thanks for the reply! I've been reading about how folders in SharePoint work in general, and I heard that they're essentially just different views within the library. Would this explain why all users who have permissions to access the library are able to access the folders?
    Thursday, June 30, 2016 12:47 PM
  • Sort of. I think they are a mix of ideas. The folder itself is a list/library item. It's based on a Content Type. You an even create custom folder types with metadata by inheriting from the base folder type. As an "item", it does not really contain anything. The list/library file items have an internal property that specifies which "folder" the item belongs to. So you could kind of say that document A belongs with folder B and gets displayed as if it was in folder B.

    The SharePoint object model treats folders and items as distinctive collections and only tends to show things as nested folders in views, Windows Explorer and SharePoint Designer.

    PowerShell example to return a list of folders and then a list of items. Note that the hint that an item is in a folder is in the URL. Otherwise, a list of "items" is a list of all items in the library, regardless of the folder.

    So... a folder is a "logical" construct that let's SharePoint display items as if there were real folders. In the end, everything is just a record in a SQL table.


    Mike Smith TechTrainingNotes.blogspot.com
    Books: SharePoint 2007 2010 Customization for the Site Owner, SharePoint 2010 Security for the Site Owner

    Thursday, June 30, 2016 6:11 PM
  • Hmm ok, thanks. 

    So I've moved on to trying document sets instead of folders, and they seem to do the trick - giving another user the URL to a document set they don't have permission to results in either a page saying "An unexpected error has occurred" (I'm not sure why it's not Access Denied?) or a redirection back to the document library. And I'm using a workflow to set the document set's permissions, just like I did for the folders.

    Is it safe to stick with document sets for this then, since they seem to be doing the job right? Is there anything I should be careful of when using document sets?

    Thursday, June 30, 2016 8:21 PM
  • The Doc Set content type inherits from the Folder content type, should at basic levels behave as a folder. Doc Sets are listed in the library's Folders collection and Windows Explorer views show them as folders.

    The biggest differences are that the icon is different, and they don't sort to the top like folders.


    Mike Smith TechTrainingNotes.blogspot.com
    Books: SharePoint 2007 2010 Customization for the Site Owner, SharePoint 2010 Security for the Site Owner

    Thursday, June 30, 2016 8:46 PM
  • Is there a reason why the permission settings seem to be working better for the Document Sets compared to the folders? 
    Friday, July 1, 2016 2:20 PM
  • Just guessing... Views "promote" folders. One example is how they always sort to the top. The second is how when you click a folder you get the exact same view, but only of the folder's contents. When you click a Doc Set you get the special "home page" as the "view/container". The Doc Set home page may be secured differently than a folder.

     


    Mike Smith TechTrainingNotes.blogspot.com
    Books: SharePoint 2007 2010 Customization for the Site Owner, SharePoint 2010 Security for the Site Owner

    Friday, July 1, 2016 4:22 PM
  • Hi,

    Yes, I have tested in my environment according to your description.

    If u2 dean tried to access folder “test1” by direct URL “site URL/Shared%20Documents/Forms/AllItems.aspx?RootFolder=%2Fsites%2Fdean%2FShared%20Documents%2Ftest1&FolderCTID=0x0120008815483B0685E6488311AF2CAFAC3B6C&View={57DC814C-E967-4823-B6AF-8884BB23B079}”, he would view folder “test3”.

    It seems that it’s by design. It’s not bad for security. Users can access folder they don’t have permission by direct URL, but they won’t view any files if they don’t have permission to files in this folder. They only can view files which they have enough permission.

    If you don’t want this, you can use document set as a workaround.

    http://blog.bonzai-intranet.com/analysthq/2012/06/documents-sets-vs-folders-in-sharepoint-2010/

    Thanks,

    Dean Wang


    TechNet Community Support
    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, July 4, 2016 6:11 AM
    Moderator
  • I'm not sure I understood what you meant when you said that when u2 dean tries accessing "test1" folder by direct URL, they're able to view "test3". Did you mean they're able to view "test1"?

    And ok, I'll stick to using the document sets then. Thank you Mike, and thank you Dean!

    • Edited by sabina.yim Tuesday, July 5, 2016 8:16 PM additional question
    Tuesday, July 5, 2016 7:43 PM
  • Hi,

    You can see my reply above. "test3" is a subfolder in "test1" folder and u2 dean has enough permission to "test3" subfolder, so he can view "test3" if he accesses "test1" folder by direct URL.

    Thanks,

    Dean Wang


    TechNet Community Support
    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, July 6, 2016 8:23 AM
    Moderator
  • Ah I see. Thanks!
    Wednesday, July 6, 2016 2:43 PM