“My Recent Documents” web part on the Public “My Site” page


On the Public view of the “My Site” page you will notice there is a web part called “My Recent Documents”. This is generally liked however people often have concerns about the following:

1. It “can” display sensitive documents to end users
2. It is difficult to remove

So, just though it would be useful to:

1. Explain why it does not pose any security risk at all:

a) What is “My Recent Documents”, well it is just a web part, just it is a static web part, which means it is embedded into the SPS template making it impossible to remove via the browser.
b) The results displayed in the web part come from SharePoint Search indexes, it just does a query that looks for any results where Author = name of the user whose profile is being displayed (in reality it may be a little more fancy than that.
c) Because it uses SharePoint search the results are security trimmed so that a user will only see those documents they have access to, this should eliminate any security issues you may have.

2. Document how this web part can be removed:

It can be removed by doing the following:

a) Open the following file: <drive>:\Program Files\Common Files\Microsoft Shared\web server extensions\60\TEMPLATE\<Locale ID>\SPSMSITE\Public.aspx

 
b) Search for a delete the following string: <SPSWC:ProfileDocuments FrameType=”TitleBarOnly” id=”ProfileDocuments” runat=”server” />

 
c) Save, and refresh the public page.

Comments (7)

  1. KateRK says:

    Hi Daniel, we had the same complaints. Even though security prevents unauthorized access, people just didn’t want others to see what they had been working on. We removed the part via Front Page 2003.

  2. Building Your First Business Process … shows how easy it is to build a business process using Visual Studio .NET and BizTalk Server 2004, expose that business process as a Web service,

  3. Mark Harrison tries his hand at spam. (I’ve seen this "comment" before and it wasn’t really relevant there either)

  4. Daniel McPherson says:

    Hi KateRK, as you have found some customers just dont like this facility. The only thing I will say is that removing this web part doesn’t stop someone from seeing what you have been working on. You could easily just submit a query to SharePoint search with someones name and get the same results. The bottom line is if you dont want someone to see something, secure it.

    Thanks for the comment.

  5. Mike – your comment adds little value too. I didnt manually add this … its the way .Text trackbacks work – reference any other blog entry and it automatically adds a comment – and not neccessarily using appropriate text.

  6. Steven Kassim says:

    What happens if two authors have similar names? You will have a query string like this: "http://servername/search.aspx?db=Smith%2c+Peter&wd=Recent+documents+by+Smith%2c+Peter&quot;.

    And therefore similar results for both authors.

    Mmmm.

  7. Daniel McPherson says:

    Hey Steven, I dont know *exactly* how this web part works, however I suspect it would perform a query via the SharePoint SQL-like query language rather than via a querystring and the Search.aspx page (more info on this in the SDK). This would mean it could restrict the search by using WHERE clauses like "Author CONTAINS <Username>" or even "Author = <username>".

    This would avoid the problem you discussed.

    Hope that helps,

    Daniel