Thursday, June 12, 2014

Creating links to documents inside document sets - BUG

This is a bug a client of mine found in SharePoint 2010, and I verified on 2013 and Office 365 (as of today - not yet fixed).

The issue is when you create a link to a document inside a document set. If you are not familiar with this - users can create links inside document libraries, using a content type called "Link To Document". You can also create document sets - which is a special type of folder. To do so, add the two content types to a document library:

You then also have to configure the document set content type to accept links to documents in the document set settings under the content type settings:

The problem is when you create a document set, and in it you then create a link to document:

The result is that the users get redirected to the wrong URL, and instead of seeing the actual document set they started from, with the new link (or any document that is already in the document set) the users see a default view of a generic document set - not the one they started from:

The reason for this is different in 2010 and 2013. I have yet to pinpoint the reason for the issue in 2013, but in 2010 the issue is that the URL when creating a new link to document has two "RootFolder" parameters, and that confuses the server when the users click "OK" to save the link and to get redirected back. Instead of seeing the document set, they see the default document set home page - with no parameter to tell the server which document set to actually display the contents of.

I have created a workaround for 2010, and am yet to modify it for 2013 (since the behaviour in 2013 is slightly different, though the results are the same). The workaround is to use javascript to detect if we got to the current page from the edit form, and if the current page is a document set home page and if the current page parameters have two question marks in them. If so, redirect the user, removing the second "&RootFolder=" parameter. This will not work in 2013 since the url there doesnt have parameters after creating the link to document.

Here is an example of the code. To inject it I used a farm level feature that added a ScriptLink to all pages in the farm. The script link was to a .js file that contained the following code:

function FixDocumentSetRedirect() {
    if (document.referrer.indexOf("EditForm.aspx") > 0 && document.location.href.toLowerCase().indexOf("docsethomepage.aspx?id=") > 0 && document.location.href.toLowerCase().indexOf("docsethomepage.aspx?id=") < document.location.href.indexOf("?")) {
        var source = document.referrer;
        source = source.substring(source.indexOf("Source=") + "Source=".length);
        var firstRootFolder = source.indexOf("&RootFolder=");
        var secondRootFolder = source.indexOf("&RootFolder=", firstRootFolder + 1);
        if (secondRootFolder > firstRootFolder) {
            source = source.substring(0, secondRootFolder);
        document.location.href = source;


Wednesday, April 09, 2014

Users able to open documents using links, even without permissions

Recently I had to troubleshoot an issue where end-users were able to open links to documents they had no permissions to open. If they tried opening the library they got the "access denied" message that is expected, but clicking a link directly to a document in the library resulted in the document either opening up in the browser, or downloaded. We double checked the documents did not have item level security, and they didn't.

What a puzzle!

Turns out that those libraries were provisioned by code, and the code set a property on the library called "AllowEveryoneViewItems" (msdn documentation). This property, when set to true, means that anyone- even unauthenticated users, will be able to download and view items in the list or library - even without permissions.

The reason to turn it to true is when dealing with anonymous sites - for example, if you have an internet site and you want to put links to documents from pages, but you don't want users to be able to browse the library itself.