SharePoint: Show or Hide Content based on Permissions
In this article I explain how to use the SPSecurityTrimmedControl class in SharePoint to show or hide content on a page based on the current user’s permissions. This can be applied to a Master Page, Application page or .aspx page such as a Web Part Page or Page Layout.
For public web facing sites, this can be used to show a "Login" and "Sign Up" link to users who have not been authenticated (anonymous users), then show a "Logout" link instead if a user is authenticated.
Other uses may be to control the visibility of links to built-in pages in the layouts directory such as the Site Settings or View All Site Content page for cases when you are using a customized Master Page that doesn’t include these links.
In my case, I am using a custom template to display the Current Site Navigation Menu, which usually includes a link to "View All Site Content" when using the default template, but has not been included in my custom menu layout. As Publishing features are not enabled on some sites, the link is not always available from the Site Actions Menu of a site so I decided to add a View All Site Content link to the page content as text.
As mentioned at the beginning of this article, I use the SPSecurityTrimmedControl class to only show the link to users with certain permission on the current site. I wanted the link to be visible to users with access to manage lists on the site, as well as the site owners (users with Full Control over the site).
Show a View All Site Content Link to Site Managers & Owners
The permissions are set using the PermissionsString property, which accepts one or more base permission type. When more than one base permission is included, they should be separated by commas. In my case, I want the owner of a site to view the link so have included the ManageWeb permission, and the ManageLists permission to allow users with access to add/remove and manage the settings for lists on the site to also see the link ( PermissionsString="ManageLists, ManageWeb" ).
The context of the permission mask can be specified using the "PermissionContext" property of the SPSecurityTrimmedControl class, which accepts the following values: "RootSite", "CurrentSite", "CurrentList", "CurrentItem" and "CurrentFolder". I have used the CurrentSite value for the property ( PermissionContext="CurrentSite" ).
As I want a user with either full control over the site, as well as a user with access to only manage lists and content on the site to view the link (Manage Hierarchy permission level), I have used the PermissionMode property, with the value of "Any" (it accepts "All" or "Any"). Setting to "All" would required that the current user has all of the permissions listed in the PermissionsString property to be able to see the content.
Once completed, the tag in my Master Page looks like this:
<SharePoint:SPSecurityTrimmedControl
ID="SPShowToManagers1"
PermissionsString="ManageLists, ManageWeb"
PermissionContext="CurrentSite"
PermissionMode="Any"
runat="server">
<div class="viewsitecontent-link">
<SharePoint:SPLinkButton id="idNavLinkViewAll" runat="server" NavigateUrl="~site/_layouts/viewlsts.aspx" Text="<%$Resources:wss,quiklnch_allcontent%>" AccessKey="<%$Resources:wss,quiklnch_allcontent_AK%>"/>
</div>
</SharePoint:SPSecurityTrimmedControl>
Show Different Content for Anonymous and Authenticated Users
The example in the online documentation for the SPSecurityTrimmedControl class suggests to use the "BrowseDirectories" base permission to test is a user is authenticated to a site. One of the comments suggests to use the AuthenticationRestrictions property instead of the PermissionsString property to achieve this, which seems like a better approach, as in some cases anonymous users may have the BrowserDirectory permissions to sites depending on the permission model that is implemented. The AuthenticationRestrictions property accepts the following values: "AllUsers", "AuthenticatedUsersOnly" and "AnonymousUsersOnly". Using this property makes it easy to tailor content based on authentication status, which setting the property to AuthenticatedUsersOnly for example, would result in the content being visible to only Authenticated users.
Class documentation and related information:
- SPSecurityTrimmedControl Class
- SPSecurityTrimmedControl Class Members
- The full list of SPBasePermissions that can be used for the security trimming.
- SPSecurityTrimmedControl.PermissionsString Property - The Property used to specify which permissions a user should have for the content to be visible.
- SPSecurityTrimmedControl.PermissionContext Property - The context of the permissions included (eg: CurrentSite).
- SPSecurityTrimmedControl.PermissionMode Property - Specify if a user requires all of the permissions, or only one in cases where multiple base permissions have been included.
- SPSecurityTrimmedControl.AuthenticationRestrictions Property - The property that can be used to specify the authentication status of the current user.
Related Articles / Tutorials:
Submit a review:
Login required.