Anonymous Access using the SharePoint 2010 Client Object Model

One of the nice things about the client object model is the ability to ​retrieve items using ECMAScript and thereby making the UX of a public-facing website more dynamic and interesting. Items can be retrieved dynamically from lists within SharePoint 2010 and displayed in interesting ways, customisnig the whole interface if necessary with dynamic XHTML and CSS. However, this is all very well and good in a world of an Intranet / Extranet where users are authenticated, but in the world where you have Anonymous access enabled, the story is not quite the same.

While client-side object model calls do work, they do not work when your user is anonymous. The queries just do not run at all. The reason is quite simply because of a deliberate restriction applied to specific client object model calls in SharePoint 2010.

"What's the point of that?", I hear you say. Well, SharePoint rightly secures certain operations of the client object model to only allow authenticated users. I say "rightly so" because allowing the ability to query items in a list could pose a security threat or breach of data protection (for instance), especially if the list contains sensitive data. The client object model restrictions (of which there are more than one) are applied at a Web Application level which, admittedly, doesn't allow for a great deal of granularity, and can be viewed using the ClientCallableSettings.AnonymousRestrictedTypes property of an SPWebApplication which will display restrictions applied to SPList, SPWeb and SPSite client object model queries. Looking at a default installation of SharePoint you will see that there is a restriction imposed on the GetItems method of SPList objects - it's this that prevents the GetItems method from being used. You can get a list of the restrictions by running the following Powershell script:

param($Identity)
if(-not $Identity) { $Identity = read-host -prompt "Site Collection"}
$site = Get-SPSite -Identity $Identity
Write-Host "Processing..."
$wa = $site.WebApplication
$wa.ClientCallableSettings.AnonymousRestrictedTypes

Fortunately, the position is not untenable and SharePoint 2010, with the help of Powershell, allows us to remove the restriction and thereby allow any client object model calls by Anonymous Users to work successfully. Here's the Powershell script to remove the GetItems restriction:

param($Identity)
if(-not $Identity) { $Identity = read-host -prompt "Site Collection"}
$site = Get-SPSite -Identity $Identity
Write-Host "Processing..."
$wa = $site.WebApplication
Write-Host "Removing the GetItems restriction..."
$wa.ClientCallableSettings.AnonymousRestrictedTypes.Remove([Microsoft.SharePoint.SPList], "GetItems")
$wa.Update()
Write-Host "The operation was completed sucessfully"

It's useful that it's there, but does mean there is a need to balance security against required access. Allowing the GetItems is against all SPList objects across a single Web Application. This means that all client object model calls against any SPList will work within that single Web Application. While this is great it does mean that you do not have the granularity you may prefer in order to only allow a specific list the ability to be queried in this way (bit of a "sledge-hammer-to-crack-a-nut" approach). Therefore, when allowing this, bear in mind it is one-size-fits-all and you will need to ensure that a proper security model is followed for lists that contain sensitive data which may mean breaking inheritence in sites that allow access to anonymous users, in other words, being choosy about what you allow access to.