Using WSS 3.0, we have noticed that while users can be restricted to access only certain sub-sites of a site collection through permission settings, the same doesn't seem to be true for web services, such as /_vti_bin/Lists.asmx!
Here's our experimental setup:
http://formal/test : 'test' site collection
- site1 : first site in test site collection, user1 is member
- site2 : second site in test site collection, user2 is member
With this setup, using a web browser user2 can:
- access http://formal/test/site2/Default.aspx
- cannot access http://formal/test/site1/Default.aspx
That's what is expected.
To our surprise however, using the code below, user2 can retrieve the names of the lists in site1, something he should not have access to!
Is that by (unfortunate) design, or is there a configuration setting we've missed that would prevent user2 from retrieving the names of lists in site1? Is this going to be different in SharePoint 2010?
Here's the web service code used in the experiment:
class Program
{
static readonly string _url ="http://formal/sites/research/site2/_vti_bin/Lists.asmx";
static readonly string _user = "user2";
static readonly string _password = "password";
static readonly string _domain = "DOMAIN";
static void Main(string[] args)
{
try
{
ListsSoapClient service = GetServiceClient(_url, _user, _password, _domain);
var result = service.GetListCollection();
Console.WriteLine(result.Value);
}
catch (Exception ex)
{
Console.WriteLine(ex.ToString());
}
}
private static ListsSoapClient GetServiceClient(string url, string userName, string password, string domain)
{
BasicHttpBinding binding = new BasicHttpBinding(BasicHttpSecurityMode.TransportCredentialOnly);
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Ntlm;
ListsSoapClient service = new ListsSoapClient(binding, new System.ServiceModel.EndpointAddress(url));
service.ClientCredentials.UserName.Password = password;
service.ClientCredentials.UserName.UserName = (!string.IsNullOrEmpty(domain)) ? domain + "\\" + userName : userName;
return service;
}
}