Security trimmed top navigation links

The estimated reading time for this post is 2 minutes

I was asked to review a client environment yesterday to find out why the links in their top navigation bar were displaying for users that did not have permission to the particular sites.

Creating sites

It turns out that when sites were being created by the client on SharePoint Foundation 2010 they were being created without the ‘include on the top navigation bar’ check box ticked. As a result, the link was then not automatically added to the top navigation bar but instead later manually added and so was not security trimmed link.

Display this site on the top link bar of the parent site
Display this site on the top link bar of the parent site

It was then after removing permissions to the various sites that it became clear that users were able to see the top navigation bar link to the sites even though they did not have access.

Obviously, there are situations when users don’t have permissions to a site and you don’t want them to see that the site even exists. An example of this might be in an extranet scenario when you have third parties accessing project sites and you don’t want those third parties seeing the names of other project sites that may exist let alone the content…so how do we prevent this?

Identifying security trimmed links

By reviewing the URLs of the links in the top navigation bar I was able to identify whether the links were security trimmed or not. If the field for the URL is disabled then the link is security trimmed and most probably created when as the site was created.

Custom top navigation link that is not security trimmed
Custom top navigation link that is not security trimmed
Security trimmed top navigation link
Security trimmed top navigation link

Adding new security trimmed links

After identifying the problem, I then had to make the existing links security trimmed. I did this in two stages. The first was to make a note of the position of the link that needed to be replaced. I then deleted it from the top navigation bar using the ‘Top Link Bar’ site settings page (_layouts/topnav.aspx). The second stage was then to create the new security trimmed link by using the PowerShell code below.

Modify the $SPWeb and @(“Site Name”, “/sitename/default.aspx”) arguments as required and run the code for each of the top navigation bar links that need to be security trimmed. Remember the old link will need to be removed and the new one ordered as required.

Conclusion

It appears SharePoint, specifically SharePoint Foundation 2010 only honours security trimmed links in the top navigation when the links are created automatically as opposed to being created manually.

Note: this post specifically targets SharePoint 2010 Foundation which does not include the extended navigation that is included as part of the Publishing feature.

Comments

2 responses to “Security trimmed top navigation links”

  1. disweij avatar
    disweij

    Great post James. Thank you.

    Security trimming also occurs in Quick Launch Site collection.
    The modified PowerShell script below shows how to modify Quick Launch “Sites”

    # Open Web
    $SPWeb = Get-SPWeb http://your.url.com/
    # Get reference to QuickLaunch
    $Nav = $SPWeb.Navigation.QuickLaunch
    # Create link to be added to Sites Library
    $NewLink = New-Object Microsoft.SharePoint.Navigation.SPNavigationNode -argumentlist @(“Link To Sub Site”,”/linktosubsite”)
    # Get Sites Library reference
    $Node = $Nav | where {$_.title -eq “Sites”}
    # Add NewLink to the Sites Library
    $Node.Children.AddAsLast($NewLink)

    Kind regards,
    disweij

    1. James Callaghan avatar

      Yes, thanks for sharing this Diswij.

Leave a Reply