Tuesday, May 29, 2012

The method “GetItems” of the type “List” with ID {..} is blocked by administrator on the server

Have you ever faced this error on a MOSS 2010 website. Here is a scenario that I came across.
We are launching a Public facing website which is built on top of MOSS 2010. When we are testing the site in QA environment enabling the Anonymous access on the Extended Web App, we started getting this error when we are accessing the lists using Client Object Model.
So basically this an error that we normally get when there is an Anonymous site which has Client Object Model used which is accessing the lists on the site.

This was quite unexpected, as I was able to retrieve information about the Web object, as well as enumerate lists (even a few hidden ones) in the portal.

Digging a bit further, I combined an exception I noticed in Fiddler (Microsoft.SharePoint.Client.ApiBlockedException), with the class information found in the client.svc endpoint. In Reflector, this brought me through the SharePoint 2010 client service code, to a class called SPClientServiceHost, which has a method named IsMethodBlocked. Following this trail even further, it turns out that there's a SPClientCallableSettings class, exposed as ClientCallableSettings on the SPWebApplication object - and that's the key. Turning to PowerShell for a second, I enumerated what turns out to be the default settings for the AnonymousRestrictedTypes property:

So apparently anonymous users, using the Client Object Model, are blocked from using
  • GetItems and GetChanges on SPLists
  • GetChanges and GetSubwebsForCurrentUser on SPWebs
  • GetChanges on SPSites

The good news, however, is that the ClientCallableSettings value can be adjusted to allow anonymous user access to one or more of these methods.

Doing this with PowerShell:

$webapp = Get-SPWebApplication "http://sp2010dev"
$webapp.ClientCallableSettings.AnonymousRestrictedTypes.Remove([microsoft.sharepoint.splist], "GetItems")

Be sure to replace "http://sp2010dev" with whatever url your target webapp has. After doing this, anonymous calls to GetItems will work for that web application. The changes are persisted in the SharePoint database, and last until you change the setting again, or recreate the web application.

No comments:

Post a Comment