How to Make List Items Visible to Anonymous Users (in Search)

I had a funny little issue with showing list items from a custom list (with a custom view form) to anonymous users on a publishing site.

My good colleague Bernd Rickenberg insisted that I blogged the resolution since he had found quite a few post detailing the problem but no viable solutions 😉

The Issue

You want to show a custom list to anonymous users. In our setting it was through search, your use case is likely different, but the issue remains the same with or without search.

Quite simply forms (List forms) are generally not accessible to anonymous users when you have the lockdown feature enabled (ViewFormPagesLockdown). It is a critical feature to have enabled otherwise you expose way too much information to SharePoint savvy users. Many of the solutions to this issue suggest turning it off.

It is fairly simple to test if you have this problem. Start Firefox, assuming that you have not enabled the NTLM auto login setting, and hit the …/DispForm.aspx page for a specific item. If you receive the login prompt as anonymous in Firefox and sail through when logged in this blog is for you.

If the ordinary publishing pages are also not viewable then this blog is not for you.

Note: Never use IE to test for anonymous access or not, I can’t count the number of times it has tricked consultants into thinking it works because they are tricked by the auto login feature while on the corporate network.

The Resolution

Is fairly simple.

The basics for search is that the list must be made searchable (it is by default) in the list settings, anonymous users must have access rights to the site and the lockdown feature should(!) be enabled.

What the lockdown feature does is that it changes the anonymous permission mask at the root site (which is inherited by all by default). The mask is basically the permission level assigned to all anonymous users and is similar to the normal permission sets – but is not editable in the UI.

The “View Application Pages” permission level is removed, see the image below on where to find it (for non-anonymous users):

Permission level settings page

Permission level settings page – not available for anonymous users

The best option, security wise, is to break the permission inheritance for your particular list and then add the “View Application Pages” permission to the anonymous users. Do not do that at the web level as you do not want to expose e.g. All site content etc.)

The Script

You need to run the following the PowerShell commands on one of your servers (replace url and list name):

$web = get-spweb "http://yoursiteurl/subweb/subsubweb" 
$list = $web.Lists["ListName"]
$list.BreakRoleInheritance($true)
$list.AnonymousPermMask = $list.AnonymousPermMask -bor ([int][Microsoft.SharePoint.SPBasePermissions]::ViewFormPages) #binary or adding the permissions
$list.Update()
 

(Note: Do be careful if copying directly from this page to PowerShell – you need to re-type the quotes as WordPress mangles them)

Advertisements

About Søren Nielsen
Long time SharePoint Consultant.

7 Responses to How to Make List Items Visible to Anonymous Users (in Search)

  1. Shawkat says:

    Great article. This is cool way to show disform.aspx to the anonymous user. But we don’t want anonymous user to get access to allitems.aspx page of that clinic. Do you have any idia how to block allitems.aspx from anonymous user?

    • Bob says:

      This worked great on my dev environment but when I went to run in production I received an error. I am not sure what the error is pointing to, does it make sense to you?

      at line::::

      $list.AnonymousPermMask=$list.AnonymousPermMask -bor ([int][Microsoft.SharePoint.SPBasePermissions]::ViewFormPages)

      I receive the error::::

      Exception setting “AnonymousPermMask”: “0x80070005OWSSVR.DLL: (unresolved symbol, module offset=0000000000008D1F) at 0x000007FEEB598D1F
      OWSSVR.DLL: (unresolved symbol, module offset=00000000000108E1) at 0x000007FEEB5A08E1
      OWSSVR.DLL: (unresolved symbol, module offset=00000000000ABD12) at 0x000007FEEB63BD12
      mscorwks.dll: (unresolved symbol, module offset=00000000002BB647) at 0x000007FEF939B647
      Microsoft.SharePoint.Library.ni.dll: (unresolved symbol, module offset=00000000000FFF7B) at 0x000007FEEBDBFF7B
      Microsoft.SharePoint.ni.dll: (unresolved symbol, module offset=0000000001AB5186) at 0x000007FEEFC35186
      Microsoft.SharePoint.ni.dll: (unresolved symbol, module offset=0000000001B9BC5F) at 0x000007FEEFD1BC5F

      At line:1 char:7
      + $list. <<<< AnonymousPermMask=$list.AnonymousPermMask -bor ([int][Microsoft.SharePoint.SPBasePermissions]::ViewFormPages)
      + CategoryInfo : InvalidOperation: (:) [], RuntimeException
      + FullyQualifiedErrorId : PropertyAssignmentException

      • That one seems a bit strange to me. Has anon view been enabled at the site? I would normally look into a permission issue with your user, however you do have shell access so that seems unlikely.

        Can you change the other anon permissions on the list (view, create, etc.) from within the GUI?

        Is it exactly the script you ran on test? I’ve sometimes seen that when you copy code from a web site the quotes and dashes may have been switched to some other Unicode characters that look similar (damn designers…).

        If all else fails maybe look in the uls log.

  2. Pingback: Displaying search results to anonymous users in SharePoint 2013 | Yuri Oyoko

  3. SJNBham says:

    Seems to be working brilliantly so far. I also used the display:none option in the CSS within a control in the master page to hide info from anonymous users on the DispForm.aspx page site-wide that we didn’t want the public seeing like created, version, last modified. Thanks for taking the time to post this. I did a couple of hours of searching before I came across it.

  4. Kevin Parker says:

    Is there a way to do this using the REST API? Everytime I google REST API and Anonymous, all I get is how to enable the API for anonymous access

    • as in using rest to enable it? i don’t know.
      however if you are asking how to consume the data through Rest it should work just fine after this.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: