středa 3. února 2010

Anonymous access and People Editor control

By default, if you enable anonymous access to your SharePoint site, anonymous users are unable to edit a column of type Person or Group. There is a message The control is not available because you do not have the correct permissions instead of standard control.

After dissasembling PeopleEditor class in Microsoft.SharePoint.dll we can see the cause:
private bool DoesUserHavePermissions
{
get
{
if (!SPContext.Current.Web.DoesUserHavePermissions(SPBasePermissions.BrowseUserInfo))
{
return false;
}
while (this.SPGroupValue == null)
{
return true;
}
return this.SPGroupValue.CanCurrentUserViewMembership;
}
}

[SharePointPermission(SecurityAction.Demand, ObjectModel=true)]
protected override void Render(HtmlTextWriter writer)
{
if (this.DoesUserHavePermissions)
{
base.Render(writer);
}
else
{
writer.AddAttribute(10, "ms-descriptiontext");
writer.RenderBeginTag(0x4c);
writer.Write(SPHttpUtility.HtmlEncode(SPResource.GetString("PeoplePickerNoPermission", new object[0])));
writer.RenderEndTag();
}
}
So all we need is to add SPBasePermissions.BrowseUserInfo permission to anonymous user. Unfortunately, there is no way to do this by using web interface of SharePoint, you have to edit content database of your site. What we are looking for is a row in Perms table with empty ScopeUrl and some number in AnonymousPermMask, this row stands for anonymous permissions on the site. Add to AnonymousPermMask value 134217728 (SPBasePermissions.BrowseUserInfo) and voilà, the PeopleEditor is rendered correctly. But we are not done yet. If you try to check user name or save the form, login prompt appears. The cause is access to Active Directory. Solution: configure Active Directory to allow anonymous queries.

Should work now.