Tip: Use Resource files to security-trim Custom Action elements for SharePoint Ribbon

Wednesday, 19 February 2014

Custom actions in SharePoint server Ribbon can be configured so that they are displayed only to users which have specific Base Permissions on installed scope. In this article we will show how to leverage Resource files to configure permissions on Ribbon customizations.

We will start with Ribbon customization sample published on MSDN http://msdn.microsoft.com/en-us/library/office/ff407458(v=office.14).aspx . During development of Custom Actions for SharePoint Ribbon, we can use  Resource files to provide localization of labels and tooltips for buttons in the Ribbon. It is quite easy to add Resource file with our custom messages, and it is also quite easy to use them from Ribbon definition. For example, if we have resx file with message "ButtonLabel", we can use this simple syntax in xml to display message in desired language in our Custom Action definition.

<Button Id="Ribbon.Library.Share.NewRibbonButton"            Sequence="25"            Command="NewRibbonButtonCommand"            Image16by16="/_layouts/15/1033/images/info32.png"            Image32by32="/_layouts/15/1033/images/info32.png"            LabelText="$Resources:ButtonLabel"            TemplateAlias="o2" />

If we want to security trim the ribbon actions, we need to set Rights property of CustomAction element to desired permission value, for example "ManageLists". Implication of setting this property is such that only users that have specified permissions on SharePoint will have those ribbon buttons visible.

<CustomAction     Id="Ribbon.Library.Actions.AddAButton"    Location="CommandUI.Ribbon"    RegistrationId="101"    RegistrationType="List"    Rights="ManageLists"    Title="$Resources:ActionTitle">

The values for this property should be in accordance to SPBasePermissions enumeration in SharePoint http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.spbasepermissions.aspx . Common approach is to set the value of this property in Ribbon XML during ribbon development, and in that case entered value is hardcoded in XML and we don't have any option to configure it later. When we need to change access rights to our custom ribbons button, we need to change ribbon xml and redeploy the customization from Visual Studio, or to change configured permission levels for  the site.

We can use same resx files which we use for localization to set permissions for the ribbon customizations. In that way we are able to change desired permissions later without the need to edit Ribbon XML, but only by changing resource strings in resource files. The Rights property now can be written as

Rights="$Resources:RequiredPermission"

Of course, the label has to exist in resx file, and must have valid SPBasePermissions value.

In Full Trust solutions, we can even change the permission strings later without redeploying entire Ribbon customization, just by editing our custom resx file in RESOURCES subfolder of SharePoint hive. As Sandbox solutions don't get deployed to file system, that is not possible in case of Sandbox solutions.

Code sample (Sandbox solution) is posted on OneDrive http://1drv.ms/1cY6VO6