Anonymous Access only for some sites. (SPS 2010)
-
16-10-2019 - |
Question
We host a neat little SP 2010 solution, my coworker and I developed, on the net. On the root site, you have some news and a login-webpart. (FBA) For everything else, you need to be logged-in.
So far, so good. The only thing we didn't thought of was, that the "user information list" is on the site, too. We stumbled upon this problem when we found some email-adresses and other information from the list on google!
For now we have forbidden the anonymous access, which works for us just fine, but our boss and some clients who have interest in this project want the "welcome"/login-page back.
Is there some work-around? Like setting the anonymous access on a seperate page only?
Solution
You could a a location tag to the web.config, restricting access to logged in (admin) users only.
<location path="PATHTOUSERINFOLIST">
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="?"/>
</authorization>
</system.web>
</location>
OTHER TIPS
You can enable lockdown mode to prevent unauthenticated users from accessing list and library pages.
Or, if it is indeed only one page that you want to allow, then you can add the following to your web.config:
<configuration>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
<location path="your-public-page.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
</configuration>
Make sure if that page accesses any css or images that those are in a location that unauthenticated users have access to as well.