ViewFormPagesLockDown and excluding specific lists/pages

Question

I am working on a public facing MOSS 2007 site that uses the ViewFormPagesLockDown feature to stop anonymous users from accessing the standard list forms. I don't want to lose the additional security this feature provides, but there are a few lists where anonymous users should have access to the forms.

Is there anything I can do in the list settings, list template, or in feature code that will stop a specific list or form from requiring SPBasePermissions.ViewFormPages?

Answer 1

I wasn't able to find a way around it. Support for the LockDown feature seems to be baked into the form class. Instead, what we did was create a separate page with its own ListFormWebPart. The following is an adaptation of an entry from our internal blog where I outlined the steps to allow an anonymous user to add new items to a list:

In the List Settings, go to Advanced Settings. Make sure Read Access is set to All items. Return to List Settings and select Permissions for this list. Break inheritance from the site by selecting Actions > Edit Permissions. Note: If you see a checkbox to the left of the names this step has already been done. Once custom permissions have been set, select Settings > Anonymous Access. Check Add Items and then click OK. To complete Anonymous Access return to Settings > Advanced Settings, and reset to select Only their own for both Read access and Edit access, then click OK.

Create a new page using Site Actions > Create Page. Open the site SharePoint Designer. Right click on the newly created page and select Detach from Page Layout. Position the cursor within a Web Part Zone and select Insert > SharePoint Controls > Custom List Form. Select the appropriate list and New item form, then click OK. In the Code pane, change DataSourceMode in the newly created DataFormWebPart from ListItem to Webs. Leaving the default setting of ListItem, anonymous users get an "Access denied. You do not have permission to perform this action or access this resource" error. Save and view the page in the browser.

For best results, only use SharePoint Designer on a development server. To migrate the WebPart to the production, open the page on the Development server in the browser and select Export from the WebPart menu. Save the WebPart file. Open the page on the Production server in the browser and select Edit Page from Site Actions. From the menu on the Page Toolbar, select Page > Add Web Parts > Import. Enter the location of the WebPart file saved from the Development server and click Upload. Next, drag the imported WebPart from the Tool Pane on the right into the desired WebPart Zone. To save the page, click Publish.

Answer 2

An older question but I thought I would add another option that you can use to do this.

Solution: As Rich mentioned break permission inheritance on the list. Toggle the ViewFormPagesLockDown feature off.
Set anonymous users to have access to the list. Toggle the ViewFormPagesLockDown feature on.

Anonymous users should now be able to access application pages for the list only.

The Why: The ViewFormPagesLockDown feature removes the "View Application Pages", and "Use Remote Interfaces" permissions from the "Limited Access" permission role. However, the anonymous users doesn't pick up the changes to that roles until to toggle the anonymous access option. This works either at a site or list level. So if you want a particular web or list to have different anonymous access to application pages you can use the above solution to change that.