MOSS 2007 - anonymous access to the SPServices or Sharepoint Web services for public internet site

May 24, 2013 at 3:37 AM
Edited May 24, 2013 at 3:39 AM
Hi does anyone have some ideas for the best practice of using SPServices and MOSS 2007 Web services for public internet site? Is it possible to call SPService and GetListItems from the client side JavaScript code to e.g. read items from a list?

On our public internet site server, the "_vti_bin" folder is blocked for security reason so SPService will have issue to call the _vti_bin/Lists.asmx. So we have to change the rule exceptions on IIS to allow to access the Lists.asmx and Webs.asmx but then it would leave a security hole because the anonymous users might be able to have "Update" or "Delete" access to a list by using Lists.asmx

Is there is solution for that if we don't want to unblock the _vti_bin/*.asmx and only use client side code and SPService to read items from a list?
May 24, 2013 at 3:48 AM
I think we just discussed this on my blog. As I said there, the Web Services operate under the current user's permissions. I someone doesn't have permissions to do something through the UI, they can't do it through the Web Services. Period.

May 26, 2013 at 10:59 PM
Hi jmbill3, as Marc mentions, if a user cannot Delete or Update your List or SharePoint object, they won't be able to do so just because they have access to the web services.

By Default, the "Read" site permission grants access to "Use Remote Interfaces - Use SOAP, Web DAV, the Client Object Model or SharePoint Designer interfaces to access the Web site. " which is all that is required to make use of the SPServices library.

That said, unless you are doing some security by obscurity stuff on your own, you are not exposing yourself to anything more by allowing access to the web services.