Hello.
I am trying to find a fix for a weird document library permissions and “visibility” issue in SharePoint 2013.
In two examples so far, the client has sites with the usual Owners, Contributing members and Visitors groups. All intended users are members of the appropriate groups. Permissions on document libraries have been separated from the parent, configured so that only specific users can view or modify. Running the “Check permissions” tool on user xyz library produces and confirms “Access for user abc: None”.
Oddly, if users click on “all site content”, they are able to see all document libraries listed. They can see names, tiles for other libraries, total number of items and modified date indicated beside each library tile. This is not good. The client does not want users to see a list of other users’ libraries.
If a user clicks on a document library for another user, the library page displays but items are not visible. That’s a small consolation but still not acceptable.
How do we make it so users do not see other users’ libraries listed in all site content?
Thanks in advance,
Theresa
Hugo, no it wasn’t.
One work-around was to remove the site contents link from the Quick Launch. We haven’t heard from any end users who may have dug deeper to see site contents and existence of other libraries. I think they’re mostly only interested in getting their own reports then leaving.
I only have the SP 2010 DLLs, but I took a look inside the code-behind for the Site Contents page, ViewLsts.aspx. It appears that permission is only checked on page init to see if the user can make client-side object calls, but no permissions are checked for access to each list displayed on the page. This means that it is up to the method that retrieves the collection of lists to do the security trimming. In this page, SPWeb.GetListsOfType is the method invoked because it allows a query string parameter which filters the lists shown by their type. My guess is that those results are not security-trimmed, but I could not find information to confirm that. I will dive deeper on that method this evening.
Hi Theresa. Was this problem ever corrected? Best regards
Pieter,
Thank you for testing in Office 365 and providing the blog link. The solution didn’t work for me in SharePoint 2013.
I performed a test on a test SharePoint 2013 site collection, deactivated “Limited-access user permission lockdown mode”. Created a new document library and separated permissions so that a test user had no access.
That site collection features change still allowed the user to see the library’s existence in site contents AND view the document library but with no contents showing at least. Not good.
I would rather that the user with no permissions encounters the “you do not have access..” as is the current status.
Ideally, I would rather that the library doesn’t appear in site contents for that user at all!
Anyone else test this solution successfully in SP2013?
?width=721
Try this solution worked for me: http://itsolutionsblog.net/new-sharepoint-library-is-visable-despite-permissions/
