Hello.
I am trying to find a fix for a weird document library permissions and “visibility” issue in SharePoint 2013.
In two examples so far, the client has sites with the usual Owners, Contributing members and Visitors groups. All intended users are members of the appropriate groups. Permissions on document libraries have been separated from the parent, configured so that only specific users can view or modify. Running the “Check permissions” tool on user xyz library produces and confirms “Access for user abc: None”.
Oddly, if users click on “all site content”, they are able to see all document libraries listed. They can see names, tiles for other libraries, total number of items and modified date indicated beside each library tile. This is not good. The client does not want users to see a list of other users’ libraries.
If a user clicks on a document library for another user, the library page displays but items are not visible. That’s a small consolation but still not acceptable.
How do we make it so users do not see other users’ libraries listed in all site content?
Thanks in advance,
Theresa
I only have the SP 2010 DLLs, but I took a look inside the code-behind for the Site Contents page, ViewLsts.aspx. It appears that permission is only checked on page init to see if the user can make client-side object calls, but no permissions are checked for access to each list displayed on the page. This means that it is up to the method that retrieves the collection of lists to do the security trimming. In this page, SPWeb.GetListsOfType is the method invoked because it allows a query string parameter which filters the lists shown by their type. My guess is that those results are not security-trimmed, but I could not find information to confirm that. I will dive deeper on that method this evening.
