Tuesday, May 26, 2009

MOSS 2007 Content Type Field Authorization

In MOSS 2007 you have authorization control over an entire content type, but not over a single field or combination of fields. This requirement comes up often with some of my clients, so I decided to whip up a quick authorization container control that could be wrapped around fields in a page layout to control who has access to the fields. This will work both for content editing and for content viewing.

First you need to create a custom ASP.NET control that can act as a container. While this is fairly easy, one item that often catches people unaware is the ParseChildren attribute. You need to set the ParseChildren to "false" in order for the custom ASP.NET control to interpret nested tags as separate controls rather than as properties. Setting the ParseChildren attribute to "true" will cause the control to think that the nested tags contain values that should be set to the matching properties of the control.

The complete code for the finished control is listed below:

using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Text;

using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using Microsoft.SharePoint;
using Microsoft.SharePoint.WebControls;

namespace MyCompany.SharePoint
{
[DefaultProperty("Groups")]
[ParseChildren(false)]
[ToolboxData("<{0}:AuthorizationContainer runat=server>")]
public class AuthorizationContainer : CompositeControl
{
private const string groupsCategory = "SharePoint";
private const string groupsViewState = "Groups";

[Bindable(false)]
[Category(groupsCategory)]
[DefaultValue("")]

[Localizable(false)]
public string Groups
{
get
{
string groups = (string)ViewState[groupsViewState];
if (groups == null)
{
groups = string.Empty;
}
return groups;
}
set
{
ViewState[groupsViewState] = value;
}
}

protected override void RenderContents(HtmlTextWriter output)
{
try
{
SPWeb web = SPControl.GetContextWeb(this.Context);
SPUser user = web.CurrentUser;
bool isInGroup = false;

if (!string.IsNullOrEmpty(this.Groups))
{
string[] items = this.Groups.Split(',');
foreach (string item in items)
{
if (this.IsInGroup(user, item.Trim()))
{
isInGroup = true;
break;
}
}
}
else
{
isInGroup = true;
}

if (isInGroup)
{
base.RenderContents(output);
}
}
catch (Exception ex)
{
output.WriteLine(ex.Message);
}
}

private bool IsInGroup(SPUser user, string name)
{
foreach (SPGroup group in user.Groups)
{
if (group.Name == name) return true;
}
return false;
}
}
}

As you can see the code is fairly simple. There is a property for setting the comma separated list of SharePoint group names that are authorized to view the content of the control, and a render method that checks to make sure that the current user is a member of one of the specified groups.
Using this new control to filter authorized users is super easy. Open up the page you want to edit in SharePoint Designer and edit the page layout of the page. The page layout will contain placeholder controls for the content type fields. Wrap the new AuthorizationContainer around the sections that you want to control. An example of this is listed below.

<MyControls:AuthorizationContainer runat="server" Groups="Approvers">
<table id="MSO_ContentTable" cellpadding="0" cellspacing="0" border="0" width="100%">
<tr> <td>
<div class="pageContent">
<PublishingWebControls:RichHtmlField id="content" FieldName="PublishingPageContent" runat="server"/>
</div>
</td>
</tr>
</table>
</MyControls:AuthorizationContainer>

While this code sample is simple in nature, you could extend it in many ways. It could filter authorization by audience membership or by custom logic based on database stored values. Feel free to turn it into whatever you want, just make sure to share the goods with me.