Make lists hidden that users can still contribute to but not see

Question

I have a scenario in which I want users that belong to a site collection to be able to edit a list through an application but not see the list itself.

I have made a farm solution in SP2010 that is basically a textbox where users can ask questions and give imput. The solution then saves these questions in lists. Up until here it's pretty straightforward.

The issue is that users can still see the list of lists in 'All Site Content', and even though the permissions don't allow it, they can still access and edit the lists. Is there a way to make the lists hidden to the Site Members and only shown to Admin and Owners?

I have searched and have found only ways to hide columns, which is not what I want.

To be clear: The user must still be able to edit the list through the Farm Solution.

So if it could be coded into the solution, that would be great. But a PowerShell script would be fine too, maybe even better if it's separated from the actual solution

Answer 1

If you only want to hide the list from "All Site Content", the SPList class has a "Hidden" attribute. If you set this attribute to true, nobody will see the list via "All Site Content", but you can still access the list with the direct link. You could set the "Hidden" attribute with Powershell or a console application, for example (or do it at feature activation like PirateEric suggested).

Powershell:

$url = "http://yoursite.local"
$site = get-spsite $url
$web = $site.openweb()
$list = $web.Lists["YourList"]
$list.Hidden = $true
$list.Update()
$web.Dispose()
$site.Dispose()

Console Application:

using (var site = new SPSite("http://yoursite.local"))
{
    using (var web = site.OpenWeb())
    {
        var list = web.Lists.TryGetList("YourList");
        if (list != null)
        {
            list.Hidden = true;
            list.Update();
        }
    }
}

Answer 2

You can use spsecurity.runwithelevatedprivileges to edit the list from the application. Go through the below link on how to use the above method. No need to give user any special permissions. Give edit permission to the application pool account. That should solve it.

If you want to save the user name as well in the list you can do by creating a new column and updating it with user name.

Let me know if I have got your requirement correctly.

Happy Coding :)

Answer 3

In a feature event receiver upon FeatureActivating, get a handle on your list and set it to hidden, http://msdn.microsoft.com/en-us/library/office/microsoft.sharepoint.splist.hidden(v=office.14).aspx

This will hide it from the All Site Content and still give users the ability to add items to it. If anyone did know the underlying list name, they could directly navigate to it.

If you're ok with that (I assume some people need to view and act on the information) then there is no need to RunWithElevatedPrivileges, which should be used sparingly in my opinion. It's a crutch for lazy programmers to work around the security model.

Answer 4

This looks loke something I would do in a few steps.

1 hide the list as @Dolgsthrasir suggests

2 manage permisions for the list / or make specific views for the list remove the read but now write from users. List permissions with PowerShell

3 Provide a quick link for users to contribute to the list / handle it via your application

If the PowerShell fails you can always fiddle with the list view and make it so only a select number of users can view the list.