SharePoint 2013 and anonymous RSS

Update 2015/03/08: See this post for a workaround/fix.

A client I'm doing some work at uses SharePoint 2010 for their public facing internet site, which has anonymous access enabled. Because they're such a groovy, funky, trend setting company, they use all the latest technologies… like RSS. Certain document libraries and lists allow users to subscribe via RSS, and it works well enough:

SharePoint 2010 RSS page with styling applied — The "pretty" version

But now we're implementing 2013, and one of the first things we noted was anonymous users just get a blank page when clicking the RSS link. Authenticated users get an unstyled horrible page, but that's a blog post for another day:

SharePoint 2013 RSS without styling applied — The ugly version

So the first thing I did was view source, lo and behold the RSS XML was there! So was it a problem with the XSLT maybe? I grabbed the link for the stylesheet and tried to navigate to it, only to be prompted for credentials. Sure enough, if I actually logged in, the XSLT was returned and the page loaded (albeit unstyled).

My first thought was the ViewFormPagesLockdown feature, which is now enabled by default in 2013. Sure enough, disabling that feature allowed anonymous users to load the XSLT just fine. But that also means they can view all of the other pages you generally don't want restricted viewers to see! Pages like viewlsts, dispform or AllItems.

This also raises the question: wasn't this working fine in 2010? A quick test on the existing site proved yes, it used to work just fine. So what changed? ILSpy time (I really need to donate a stack of money to those guys).

Comparing RssXsltPage.RightsRequired between the two farms, it was immediately obvious why this was broken.

SharePoint 2010:


protected override SPBasePermissions RightsRequired {
    get {
        return SPBasePermissions.Open;
    }
}

SharePoint 2013:


protected override SPBasePermissions RightsRequired {
    get {
        return SPBasePermissions.ViewFormPages | SPBasePermissions.Open;
    }
}

They've added ViewFormPages! I have no clue why Microsoft have done this—the ListFeed page doesn't have extra permissions. So this means users can happily pull content from the site, but oh hey don't let them get a stylesheet! /s

So after all of this, what can be done? The way the clients' site is set up, there are just a few hardcoded links around the site pointing to the RSS feed page. Rather than those links being the http:// scheme, I think I'll just change them to be the feed://. Then it'll open directly in their RSS reader, and this problem goes away. Because really, they've clicked a link for RSS, why do they need to then see another poorly formatted page with another link saying "click here to subscribe"?

Note: those screen shots above aren't from my clients site, they're from SPSDemo, and I just manually injected the old V4 CSS to get the "pretty" version.

Update 2014/05/08: I have tried to find other examples of viewlsts, you'll be denied access, which I assume is from the ViewFormPagesLockdown feature.

So maybe this is purely a bug in on-prem SharePoint 2013, or maybe Microsoft have fixed the bug and a hotfix is coming for on-prem.