I have previously written about an issue stopping anonymous users accessing RSS feeds with SharePoint 2013 when ViewFormPagesLockdown
is enabled. While I managed to develop a work around for the client I was working with at the time, I completely neglected to write it up so others could benefit. What a rube.
I've put an example solution up on Github, hopefully someone will find that useful. Here's what it does:
As mentioned in the linked post, the problem stems from Microsoft changing the permissions on the RssXslt.RightsRequired
property to include ViewFormPages
in SP2013:
protected override SPBasePermissions RightsRequired {
get {
return SPBasePermissions.ViewFormPages | SPBasePermissions.Open;
}
}
The basic workaround idea is this:
- Deploy a new layouts page that inherits from
RssXsltPage
and override theRightsRequired
property to return an appropriate value (i.e. what SharePoint 2010 returns) - Use IIS rewrite/redirect any calls to
/_layouts/15/rssxslt.aspx
to my layouts page instead
So I created a blank solution, added a mapped folder to Layouts
and added an ASPX page RssXslt.aspx
. I inherited from Microsoft.SharePoint.ApplicationPages.RssXsltPage
, and overrode RightsRequired
to return whatever the OOTB RssXsltPage
class returns, except for ViewFormPages
:
protected override SPBasePermissions RightsRequired
{
get {
return base.RightsRequired & ~SPBasePermissions.ViewFormPages;
}
}
I could have just returned Open
permissions, but on the off chance the base permissions ever change, this will allow those changes to flow through.
Now for the catch… the original RssXslt.aspx
isn't just an empty ASPX file driven completely by codebehind—it contains a bunch of XSL and server controls that are required for the base class to function. There's probably a better way to do this, but I simply copied everything except the directives from the OOTB RssXslt.aspx
into my RssXslt.aspx
.
Deploying this to my test farm and confirmed anonymous users can in fact view my version of the ASPX, and yet still get challenged to authenticated for the OOTB ASPX. Score!
For the final touch—IIS rewrites. It's no good having an accessible stylesheet if the RSS feed is still pointing to the broken one. And unfortunately the feedlist.aspx
code-behind isn't feasible to hack around. So IIS rewrites will have to do. I want to rewrite anything containing /_layouts/15/rssxslt.aspx
to point to my page. The solution I built is named AnonymousRs
, so it will need to rewrite to /_layouts/15/AnonymousRss/rssxslt.aspx
:
<rule name="RssXslt For Anonymous Users">
<match url="^(.*/_layouts/15/)(rssxslt.aspx)" />
<action type="Redirect" url="{R:1}AnonymousRss/{R:2}" />
</rule>
You can use IIS management console to do this of course. One thing to be aware of: if you're running this on a farm with multiple web front ends, each WFE will need this configuration applied. The solution could be changed to use SPWebConfigModification
to let SharePoint handle pushing the changes to all WFEs, but damned if I'm touching that mess of a process for a simple work around :)
Here's the before and after. In this case I've configured IIS to redirect rather than rewrite, just so it's easy to see IIS is actually doing something: