All the pages having _layouts before them are application pages. Pages created automatically for various views are called Form Pages. Most often with SharePoint implementation we allow users to access these pages. However we may further want to cut down access of users from the application pages and the form pages.
SharePoint allows this by enabling the feature “ViewFormPagesLockDown”. This feature is activated at the Site Collection scope. All groups / users not having the “View Application Pages” permission will not be able to navigate to pages like “_layouts/viewlsts.aspx” or “pages/forms/allitems.aspx”.
Below are the steps to block access from application pages:
- Identify users / group to restrict.
- Set their permission to "Restricted Read" or remove the "View Application Pages" from existing assigned permission level.
- Enable "ViewFormPagesLockDown" feature using the command - stsadm -o activatefeature -url "SiteCollectionURL"
-filename ViewFormPagesLockDown\feature.xml
The above steps will block all users not having "View Application Pages" permission from accessing the application pages and form pages.
9 comments:
I would like users to be able to use the edit forms to update and modify data in lists but I do not want them to view the _layout pages such as “_layouts/viewlsts.aspx". Will enabling ViewFormPagesLockDown allow this or will they not be able to access any list forms?
You have to give at least contribute permission to the user on the list you want him to modify items on. This will allow him to access the edit forms and view forms of that particular list.
Thank you, Rizwan for your reply - I appreciate your help because I am ready to pull my hair out on this one!I don't see the "ViewFormPagesLockDown" feature for my site collection which is not a publishing site and maybe that is why? My users do have contribute rights and their "View Application Pages" permission is removed from that permission level. Still they can edit pages and get to the View All Site Content, recycle bin...
"ViewFormPagesLockDown" feature is not visible from the User Interface. You have to run the stsadm command to activate the feature at the site collection scope. I have even tried this on Team Site and it works.
Verify that the user you are trying to provide access do not have higher level permission from some other group. Also user must not have permission higher than Read (with "View Application Pages" permission removed) at site level and must have contribute permission on the list level to modify and add items.
Thnak you again Rizwan for your reply. I have verified that my user does not have higher level permission from some other group. They also have Raed permissions at the site level with with "View Application Pages" permission removed and they have contribute permission on the list level. At the list level, I find I also find that I have to give the user View Only permissions with the "View Application Pages" permission enabled or else she cannot even view a list item in display or edit. I have not run the stsadm command yet because I am afraid the user won't be able to view list items afterwards...
Rizwan, I would also like to add that this is not a public facing site with anonymous users but it is an Intranet site with AD security...
Hi Rizwan,
Good post, I ve done all, but users still access via URL /_layouts/viewlsts.aspx , how can i limita this?
thanx.
I think this only works with anonimous users. I have exact same problem as Tracey.
I would like users to be able to use the edit forms to update and modify data in lists but I do not want them to view the _layout pages such as “_layouts/viewlsts.aspx".
Above solution does not work in this case.
I think this only works with anonimous users. I have exact same problem as Tracey.
I would like users to be able to use the edit forms to update and modify data in lists but I do not want them to view the _layout pages such as “_layouts/viewlsts.aspx".
Above solution does not work in this case.
Post a Comment