SharePoint web services not protected?

Posted by Philipp Schmid on Server Fault See other posts from Server Fault or by Philipp Schmid
Published on 2010-05-13T17:44:00Z Indexed on 2010/05/13 17:55 UTC
Read the original article Hit count: 299

Using WSS 3.0, we have noticed that while users can be restricted to access only certain sub-sites of a site collection through permission settings, the same doesn't seem to be true for web services, such as /_vti_bin/Lists.asmx!

Here's our experimental setup:

http://formal/test   : 'test' site collection

  - site1           : first site in test site collection, user1 is member
  - site2           : second site in test site collection, user2 is member

With this setup, using a web browser user2 can:

  - access            http://formal/test/site2/Default.aspx
  - cannot access     http://formal/test/site1/Default.aspx

That's what is expected.

To our surprise however, using the code below, user2 can retrieve the names of the lists in site1, something he should not have access to!

Is that by (unfortunate) design, or is there a configuration setting we've missed that would prevent user2 from retrieving the names of lists in site1? Is this going to be different in SharePoint 2010?

Here's the web service code used in the experiment:

class Program
{
    static readonly string _url ="http://formal/sites/research/site2/_vti_bin/Lists.asmx";
    static readonly string _user = "user2";
    static readonly string _password = "password";
    static readonly string _domain = "DOMAIN";

static void Main(string[] args)
{
    try
    {
        ListsSoapClient service = GetServiceClient(_url, _user, _password, _domain);

        var result = service.GetListCollection();
        Console.WriteLine(result.Value);
    }
    catch (Exception ex)
    {
        Console.WriteLine(ex.ToString());
    }
}

private static ListsSoapClient  GetServiceClient(string url, string userName, string password, string domain)
{
    BasicHttpBinding binding = new BasicHttpBinding(BasicHttpSecurityMode.TransportCredentialOnly);
    binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Ntlm;

    ListsSoapClient service = new ListsSoapClient(binding, new System.ServiceModel.EndpointAddress(url));

    service.ClientCredentials.UserName.Password = password;
    service.ClientCredentials.UserName.UserName = (!string.IsNullOrEmpty(domain)) ? domain + "\\" + userName : userName;
    return service;
    }
}

© Server Fault or respective owner

Related posts about sharepoint

Related posts about wss-3.0