Thursday, May 17, 2012

NextLabs’ Entitlement Manager Issue #5 - Users could workaround to display restricted lists through SharePoint 2010 RPC calls


We are evaluating NextLabs EntitlementManager to restrict the users belong to some security groups toaccess selected site collections with sensitive information even these users have been granted the permission through individual account, any AD groups, or email list groups. One of the test cases is to verify access permissions through SharePoint Foundation RPC Protocol (RPC) methods.

SharePoint Foundation RPC Protocol (RPC) methods that can be used in URL protocol to make HTTP GET requests. Although this may not be a very common method for end users, this is one of the security concerns. The test result is very promising since after we applied policy to deny acccess to the list or library, users will get error when he/she try to access the list or library through SharePoint RPD calls with only one cavity. Here is the set up and explination.

We have set up one site with one library named lib1 http://xnetsbx-sp/it/nextlab1/lib1 with two documents. The list GUID is E757FF25-7CE0-406C-991D-D078FB008B39.



We applied the deny access to both http://xnetsbx-sp/it/nextlab1/** and http://xnetsbx-sp/it/nextlab1/lib1/** from NextLabs.

We have set up several RPC cases based some references. We got deny access error when accesing following RPC calls with error message looks like this.


Here are some of the RPC test cases and the URL syntex embedded as link.
If you have the permission, you should have the following outputs.

1. Picture 1 - Exports the list as CAML

2. Picture 2 - Display list or library metadata

3. Picture 3 -  Open a view of the document library in a view


Everything seems perfect and contents are blocked after applying the deny access polcy from NextLabs until I accidently typied in one wrong URL to open a view of the document library in a view. Here is the issue.

If you type in the correct URL http://xnetsbx-sp/it/nextlab1/_vti_bin/owssvr.dll?dialogview=FileOpen&location=lib1, you will get error message. 

If you append some other parameters to the URL like this

The good thing is users still could not open the documents even they could view the library. I guess more testing need to be done.


 
 
 
 

Tips to resolve issue that site owners are able to delete site templates or sandbox solutions before 2011 Dec. CU

If you are using sandbox solution you might be aware of that on SharePoint RTM version, site owners are able to delete site templates or sandbox solutions from solution gallery without deactivating them on load balanced multiple tier environment through edit item as we described before.

This issue supposed to be resolved in 2011 Dec. CU. After we applied 2012 Feb. CU, this issue indeed has been resolved on any new created site collections. Even though the delete option is still available in the ribbon, when site owners try to delete site templates or sandbox solutions from solution gallery without deactivating it, there will be an error message. 



However, this issue is still on the existing site collections created previous the CU. We finally identified the root cause and the way to fix it.

The root cause is the existing the sites created before Feb CU are missing two event receivers on Site Collection “Solution Gallery” list. The two missing event receivers are ItemUpdating and ItemDeleting. You could use the following powershell command to list the event receivers on the Site Collection “Solution Gallery” list for the site collection.

$web = get-spweb http://AffectedSiteName
$sg = $web.lists[“Solution Gallery”]
$sg.eventReceivers | out-file c:\ev.txt

The result for the site collection created after Feb CU has listed below. Please note the two highlighted receivers in RED that are missing on site collection created before the CU.

Id                              : c655b849-6f3f-4d95-a476-ef805a43f13c
Name                        :
SiteId                        : 59682d29-9241-468c-8d73-93b6e74c7a45
WebId                       : 8e1c6b34-9434-4c4d-9ca7-b057f0fd5983
HostId                       : 40187fd3-0178-46f7-b89e-233b7e83a739
HostType                  : List
ParentHostId            : 00000000-0000-0000-0000-000000000000
ParentHostType        : Site
Synchronization        : Synchronous
Type                          : ItemAdding
SequenceNumber      : 10000
Assembly                   : Microsoft.Office.Access.Server.Application, Version=14.0.0.0, Culture=neutral, PublicKeyT          oken=71e9bce111e9429c
Class                          : Microsoft.Office.Access.Server.Template.SolutionGalleryEventReceiver
Data                           :
Filter                          :
Credential                  : 0
ContextItemId           : 0
ContextItemUrl         :
ContextType              : 00000000-0000-0000-0000-000000000000
ContextEventType     : 00000000-0000-0000-0000-000000000000
ContextId                   : 00000000-0000-0000-0000-000000000000
ContextObjectId        : 00000000-0000-0000-0000-000000000000
ContextCollectionId  : 00000000-0000-0000-0000-000000000000
UpgradedPersistedProperties :

Id                               : 6d505269-a988-46b5-aea1-62f15927714f
Name                         :
SiteId                         : 59682d29-9241-468c-8d73-93b6e74c7a45
WebId                        : 8e1c6b34-9434-4c4d-9ca7-b057f0fd5983
HostId                       : 40187fd3-0178-46f7-b89e-233b7e83a739
HostType                  : List
ParentHostId             : 00000000-0000-0000-0000-000000000000
ParentHostType        : Site
Synchronization       : Synchronous
Type                         : ItemUpdating
SequenceNumber     : 10000
Assembly                 : Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c
Class                       : Microsoft.SharePoint.SolutionGalleryEventReceiver
Data                        :
Filter                      :
Credential                  : 0
ContextItemId               : 0
ContextItemUrl              :
ContextType                 : 00000000-0000-0000-0000-000000000000
ContextEventType            : 00000000-0000-0000-0000-000000000000
ContextId                   : 00000000-0000-0000-0000-000000000000
ContextObjectId             : 00000000-0000-0000-0000-000000000000
ContextCollectionId         : 00000000-0000-0000-0000-000000000000
UpgradedPersistedProperties :

Id                          : 099a4e0c-1e76-46ce-8c3c-549968535658
Name                        :
SiteId                      : 59682d29-9241-468c-8d73-93b6e74c7a45
WebId                       : 8e1c6b34-9434-4c4d-9ca7-b057f0fd5983
HostId                      : 40187fd3-0178-46f7-b89e-233b7e83a739
HostType                    : List
ParentHostId                : 00000000-0000-0000-0000-000000000000
ParentHostType              : Site
Synchronization             : Synchronous
Type                        : ItemDeleting
SequenceNumber              : 10000
Assembly                    : Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c
Class                       : Microsoft.SharePoint.SolutionGalleryEventReceiver
Data                        :
Filter                      :
Credential                  : 0
ContextItemId               : 0
ContextItemUrl              :
ContextType                 : 00000000-0000-0000-0000-000000000000
ContextEventType            : 00000000-0000-0000-0000-000000000000
ContextId                   : 00000000-0000-0000-0000-000000000000
ContextObjectId             : 00000000-0000-0000-0000-000000000000
ContextCollectionId         : 00000000-0000-0000-0000-000000000000
UpgradedPersistedProperties :

Id                          : 7cd2ee61-7a30-4956-9f6c-3ea10c6c4be9
Name                        :
SiteId                      : 59682d29-9241-468c-8d73-93b6e74c7a45
WebId                       : 8e1c6b34-9434-4c4d-9ca7-b057f0fd5983
HostId                      : 40187fd3-0178-46f7-b89e-233b7e83a739
HostType                    : List
ParentHostId                : 00000000-0000-0000-0000-000000000000
ParentHostType              : Site
Synchronization             : Synchronous
Type                        : ItemAdded
SequenceNumber              : 10000
Assembly                    : Microsoft.Office.Access.Server.Application, Version=14.0.0.0, Culture=neutral, PublicKeyT
                              oken=71e9bce111e9429c
Class                       : Microsoft.Office.Access.Server.Template.SolutionGalleryEventReceiver
Data                        :
Filter                      :
Credential                  : 0
ContextItemId               : 0
ContextItemUrl              :
ContextType                 : 00000000-0000-0000-0000-000000000000
ContextEventType            : 00000000-0000-0000-0000-000000000000
ContextId                   : 00000000-0000-0000-0000-000000000000
ContextObjectId             : 00000000-0000-0000-0000-000000000000
ContextCollectionId         : 00000000-0000-0000-0000-000000000000
UpgradedPersistedProperties :



Well, you might have the idea to fix this issue on any site collections that are having this issue. The solution is to add back the two missing event receivers are ItemUpdating and ItemDeleting to on the Site Collection “Solution Gallery” list. Here is the powershell command you could use.

$web = get-spweb http://siteCollectionName
$sg = $web.lists[“solution gallery”]
$sg.EventReceivers.Add("ItemDeleting", "Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c", "Microsoft.SharePoint.SolutionGalleryEventReceiver")
$sg.EventReceivers.Add("ItemUpdating", "Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c", "Microsoft.SharePoint.SolutionGalleryEventReceiver")
$web.update()

Now, site owners are NOT able to delete site templates or sandbox solutions from solution gallery without deactivating them on load balanced multiple tier environment through edit item!


Tuesday, May 15, 2012

NextLabs’ Entitlement Manager Issue #4 - Could not Apply Policy To RSS feeds


If we apply policy to deny acccess to the list or library, users will get error when he/she try to access the list or library.

One example is to deny acccess to the following list http://xnetsbx-sp/corp/Firethorn/IT/Lists/Harry/AllItems.aspx with two items.

 
Users will get the error if try to acccess the list from UI.



It does not seem that NextLabs will apply security policy to the RSS feeds. We had same issue that security polciy could not be applied to SOAP, REST, or server side API as we discovered.