If you were at SharePoint Saturday VA Beach and you saw the session on SPEasyForms, you probably heard us say that the ribbon button for configuring SPEasyForms for a list is security trimmed and you need to have the Manage Lists permission in order to see it. But there is also a link to the settings page on the list settings page, and I recently realized that I never got around to security trimming this link.
So the question is, is this a security flaw? In a word, no. The reason is that despite its name, security trimming is not a security mechanism. It is a UI feature. Generally, it is a bad practice to show people a link to something that they cannot use. Having the link appear on the list settings page for users who cannot configure it is certainly a UI flaw, and one that I will start to address in the next AddOns release for SPEasyForms.
So the next question is, what are the security considerations you should be aware of when using SPEasyForms? SPEasyForms security is entirely based on file system security, meaning that what a user can do with SPEasyForms is based on the SharePoint permissions assigned to the files that SPEasyForms depends on.
These files fall into two broad categories:
- The scripts, styles, and images used by SPEasyForms are all installed into the SPEasyFormsAssets folder of the Style Library in the site collection root. If the current user cannot read these files, then none of the things you configure SPEasyForms to do will be done on any forms opened by the current user. Note also that these files must be checked in. This is an important consideration, because in SharePoint 2010 at least the Style Library defaults to force checkout, which means all of the files are checked out when you first install SPEasyForms, and no non-privileged user will be able to see them. To get around this for now, turn off force checkout on the Style Library before activating SPEasyForms. I’m working on a better solution for version 2, but that’s going to be a while.
- The configuration files for a given list are text files saved in the root of the Site Assets library on the same site as the list that was configured. If a user is not able to read these files, then none of the things you configure SPEasyForms to do will be done on any forms opened by the current user. Also, if a user cannot write to these files, they will not be able to successfully save any changes on the settings page. This is why the non-security trimmed link on the list settings page isn’t actually a security flaw. Note also that if a user can write to these files, they can alter the configuration of lists regardless of whether or not they see any links to the settings page, so there is a bit of a disconnect between the security trimming and the actual security in version 1. Some users may see the links but not be able to save configuration changes; other users might not see the links but might still be able to save configuration changes.
I will do a better job of bridging this gap between the security trimming and the actual security in version 2, but just keep in mind that the actual security is based on the permissions of the files and you can lock down SPEasyForms however you like. You can even give a non-privileged user the ability to modify the SPEasyForms configuration for a given list just by breaking role inheritance on the configuration file for that list, explicitly giving them write access to it, and sending them a link to the settings page for that list (since they might not see the security trimmed links to the settings page).