Security, Permissions, AllowEveryoneViewItems and Script Libraries

By on October 9, 2013,

I came across something interesting today that I’m still mulling over; I haven’t gotten comfortable with this yet and so don’t really know how I feel about it and its implications. What I’m talking about is a property on SPList called AllowEveryoneViewItems. MSDN has the following to say about this property:

Gets or sets a Boolean value specifying whether everyone can view documents in the document library or attachments to items in the list. The AllowEveryoneViewItems property does not apply to all list items, but only to documents in document libraries or to attachments in list items. This property only works when users browse directly to a file through the browser, and it has no effect on the rest of the user interface or the object model.

The net effect of setting this property (either declaratively in your ListTemplate Elements file, via PowerShell or programmatically) is that you can make files in a document library or attachments on list items available (read-only) to all users, almost completely bypassing SharePoint security. I say almost because it does not, in my testing, enable anonymous access to the files. But if the users have any access to your site, they have access to all files in any list with this property set to true. If you turn on anonymous access for the site, then everyone has read access to these files

On the one hand, I see this as a huge boon for something like a script library – where we’re storing JavaScript files that should be available, read-only, to all users and we don’t want anyone to be able to turn that off or block access because then bad things will happen. On the other hand, I don’t like anything that bypasses SharePoint security. Security has always been a strong selling point for SharePoint in my mind so this concerns me a bit. At the very least, there should be some indication on the permissions page for the list or library (and the item if item-level permissions are in use) that this property is set to true and therefore everyone has read access.

What do you think? Is this good or bad?

Dave

Tags ,