HttpCode

The latest patch Tuesday includes the following for SharePoint:

Executive Summary

This security update resolves a privately reported vulnerability. The vulnerability could allow elevation of privilege if an attacker bypasses authentication by browsing to an administrative URL on a SharePoint site. A successful attack leading to elevation of privilege could result in denial of service or information disclosure.

You should seriously consider this patch and apply it.

I was recently asked a question around this scenario:

If you log into a SharePoint Portal by using the ‘Sign in as Different User Button’ as User2 it works fine, however when you click on the ‘MySite’ link it will show the MySite of User1 not User2 as you would expect.

I should also point out that the MySite and Portal are running in separate web applications (this should give away the answer).

So what is happening here is that when you click on the MySite link, this web applications asks the browser for the users authentication details, since it is a different URL (i.e. because its running in a separate web application, it will be a subdomain or even a different domain name) the browser will forward the logged in users credentials i.e. User1 (provided that it is in the local intranet zone), the browser will not keep User2’s credentials and will not forward them on. So the end effect is the scenario described above which may seem odd to the end user.

The only way to get around this is to user the ‘RunAs’ command from windows and run the browser process as User2.

What we’ve normally found is that the ‘Sign in as Different User’ option is normally only used by power users, these people will generally understand the problem if you explain it to them.

Just a quick note to point out the following link: http://www.visifire.com/

They provide open source Silverlight and WPF charts:

Worth remembering next time you want to add a rich chart to your applications

Have you seen the AJAX libraries API from google? They can be found here: http://code.google.com/apis/ajaxlibs/

What are they?

Basically its a content distribution network (CDN) for the most popular JavaScript libraries such as JQuery. It provides the officially released libraries in a gzipped form, served from a global CDN, so that your end users hit a server near them.

I feel like I’ve been living under a rock to have just discovered this service. It looks pretty easy to implement.

A couple of random tips for using lists inside of SharePoint:

• Make use of the RSS features of Lists – Each document library publishes an RSS feed which really provides the user with a wealth of options, there is no site collection limits on how that feed is consumed, so it’s possible to use in their MySites etc. If you have Kerberos setup correctly it is possible that other systems can make use of the feed. RSS is a good option to supplement the alerts that a list can send, often users won’t want their email cluttered with alerts.
• Alerts – Granularity is the key to successful alerts, a user can be alerted when a specific view of a list changes. This can make the alert more useful to the end user, we don’t want to spam them.
• Folder Level Permissions beware – The ability to create folder-level and document level security permissions can really cause some headaches for new users and administrators. The feature is really powerful, but can also create complex problems that can be hard to solve. There has been lots of discussion around the need for folders in a document library, I think there is value to be gained from them personally.
• Picture Libraries – It should be noted that the picture libraries have limited support for thumbnail view, it’s not a major limitation but it’s likely to come up in discussions / training with new users.

I came across an interesting scenario the other day where I needed to select some html elements with JQuery that had a class name like:

   1: <input type="radio" class="star star_id_45 star_group_5" />

I wanted to be able to select the elements that contained the class ‘star_id_45’, which as you can see is in the middle of the class string.

The answer was the following code:

   1: $("input[class*='star_id_45']")

Notice the use of the asterix (*), that was the key to getting the selector to work properly.

I ran across an interesting bug with the JQuery thickbox, I pointed it to a URL which was an ASP.NET ashx handler that generates thumbnail images, the result in the browser was this garbled response:

Using Firebug we see that it expects the result to be text/html

Looking at the code it is obvious what the problem is:

   1: var urlString = /\.jpg$|\.jpeg$|\.png$|\.gif$|\.bmp$/;

   2: var urlType = baseURL.toLowerCase().match(urlString);

   3:  

   4: if (urlType == '.jpg' || urlType == '.jpeg' || urlType == '.png' || urlType == '.gif' || urlType == '.bmp') {//code to show images

The code looks at the extension of what it is calling, if it finds any of the common image types, it will send a different request type, so adding the .ashx extension will fix the issue:

   1: var urlString = /\.jpg$|\.jpeg$|\.png$|\.ashx$|\.gif$|\.bmp$/;

   2: var urlType = baseURL.toLowerCase().match(urlString);

   3:  

   4: if (urlType == '.jpg' || urlType == '.jpeg' || urlType == '.ashx' || urlType == '.png' || urlType == '.gif' || urlType == '.bmp') {//code to show images

I’ve just simply added the .ashx as a file extension that should be treated as an image type, this fixed the issue.

I was asked recently if the BDC search results (when indexed by the search) can be controlled by an access list. The answer is that yes, the Security trimmer is the SharePoint feature to accomplish this. In fact any search result can be trimmed, so if you wanted to index some website that used custom permissions (i.e. a content access account that has full rights to a website) but you didn’t want to show that information to say public users of your site, this same security trimmer functionally can be used.

The important things to note are:

• The security trimmer is attached to a crawl rule
• The security trimmer is a class that implements the ISecurityTrimmer interface, the registration process defines the full assembly name, as such it must be loaded into the GAC.
• After the security trimmer is registered, you will need to recreate the content source and perform a full crawl
• Performance might be an issue, since every search result will be access checked, if your looking for insight on how to approach this refer to this MSDN article

At Tech-Ed Barcelona, the new SharePoint related features of Visual Studio 2010 were presented in the keynote:

Taken from Paul Andrew’s Blog

I’ve highlighted the features that I think are exciting, it’s good to see that more tooling support is coming.

I was having a bit of a play around with CRM 4 and build an application definition file that provides the entities: Account, Contact and Product.

So you can use the BDC web parts to display the contacts in the account like:

You can download the Application Definition File here.

Last night I started having a bit of a play with the Azure blob storage system. The first thing to do is install the SDK and get the development storage and development fabric setup.

The SDK gives you the ability to go File –> New –> Cloud Project, I selected the web role for my demo (the other options include a stand alone worker, or combined web and worker roles).

From here I included the StorageClient project from the Azure SDK samples, this has a bunch of wrapper classes that are helpful.

Then I added some appSettings entries that contain URL’s for the development tools:

   1: <appSettings>

   2:   <add key = "AccountName" value="devstoreaccount1"/>

   3:   <add key = "AccountSharedKey" value="Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw=="/>

   4:   <add key="BlobStorageEndpoint" value="http://127.0.0.1:10000/"/>

   5:   <add key="QueueStorageEndpoint" value="http://127.0.0.1:10001"/>

   6:   <add key="TableStorageEndpoint" value="http://127.0.0.1:10002"/>

   7: </appSettings>

The only thing that I was interested in was putting stuff into the blob storage, so I put together a simple asp.net page that contained an upload file control and a button.

I wired up the button event with the following code:

   1: protected void btnTest_Click(object sender, EventArgs e)

   2: {

   3:     StorageAccountInfo blobAccount = StorageAccountInfo.GetDefaultBlobStorageAccountFromConfiguration();

   4:     

   5:     BlobStorage blobStorage = BlobStorage.Create(blobAccount);

   6:     blobStorage.RetryPolicy = RetryPolicies.RetryN(1, TimeSpan.FromMilliseconds(100));

   7:     

   8:     BlobContainer container = blobStorage.GetBlobContainer(Guid.NewGuid().ToString());

   9:  

  10:     NameValueCollection containerMetadata = new NameValueCollection();

  11:     containerMetadata.Add("Name", "TestContainer");

  12:     container.CreateContainer(containerMetadata, ContainerAccessControl.Public);

  13:  

  14:     string blobName = Path.GetFileName(testFile.PostedFile.FileName);           

  15:     BlobProperties properties = new BlobProperties(blobName);

  16:     container.CreateBlob(properties, new BlobContents(testFile.PostedFile.InputStream), true);

  17: }

To prove that the uploaded file was inserted into the blob, I used the CloudDrive project that is also provided by the Azure SDK, this project provides some PowerShell magic to allow you to mount the blob storage as a drive (the drive is blob:) so in the command window I could do the following:

This just lists all the containers that have been created and then the blob’s that live inside those containers.

Now the interesting part is that we can use the browser to also view our blob:

The MSDN pages give us the details, but basically you browse to http://127.0.0.1/devstoreaccount/<container>/<blobname>

Of course you’ll only be able to browse like this unauthenticated if your container is publically viewable, these attributes were set above with the ContainerAccessControl.Public parameter on the CreateContainer method call.