Potential security issue

Apr 22, 2008 at 8:53 AM
Hello All

I have a potential security issue with the SmartPart and wanted to get some advice and ideas. I have built a user control that displays sensitive data and hosted that in the SmartPart on a SharePoint site that is only accessible by a small group - all good - only that group can see that sensitive data.

How can I stop someone outside that group, in another site or even another site collection (once the SmartPart feature has been activated on that site collection) , adding the SmartPart to a page and then adding the sensitive usercontrol and being able to view the data. Every available usercontrol in the folder is available for anyone to use.

Thanks in advance.
Coordinator
Apr 23, 2008 at 12:48 PM
That's the same issue as with any other web part. You can't rely on the fact if a user can or can't add a user control/web part.

You must implement this check in the user control/web part itself.
Apr 23, 2008 at 2:34 PM
I did not think through how effective I was but maybe someone could pick appart what I did?

I tried to do somthing secure basically:
An Administrator of a site would have to add a web part or manage.
On an test box created my web part and exported a dwp file.
I turned off the Smart Part drop down list in the dwp.
I then changed the code to turn off export.
Put that code in a subdirectory of UserControls\Hr Only
Changed the DWP file to look for the file there.
As Administrator of a Site (production box) I imported the dwp file.


"How to Load UserControls from different folder rather than from "~\UserControls" "
http://www.codeplex.com/smartpart/Thread/View.aspx?ThreadId=26309

Regards,
Chris