Fix Mysterious 403 Forbidden error on SharePoint anonymous sites

While there're possibly many other permission related causes for the HTTP Status Code 403 Firbidden error on SharePoint anonymous sites, one in particular is very elusive and puzzling. If a page access terms from the metadata store, e.g. trying to get the Label of a TaxonomyFieldValue off a list item, it results in the 403 error.

The problem, as many people have pointed out, is that every site collection stores the metadata in its own hidden list called "TaxonomyHiddenList". It's at /Lists/TaxonomyHiddenList/allitems.aspx. This list by default has Anonymous access turned on:




However, something's missing but the UI's not showing. By simply click the OK button on the page above, it fixes the 403 erorr on pages that access the metadata in the site collection. So what does clicking the OK button actually do?

Behind the scene, the Anonymous Access of the list has only one permission: ViewListItems. When the OK button is clicked, it addes four more permissions to the permission set: OpenItems, ViewVersions, Open, UseClientIntegration. Apparently when reading TaxonomyFieldValue of a list item, some of these additional permissions are required.

In addition to manually click the OK button to fix the problem for a site collection, the following code snippet can fix the problem in the code:

SPBasePermissions newPer = SPBasePermissions.ViewListItems | SPBasePermissions.OpenItems | SPBasePermissions.ViewVersions | SPBasePermissions.Open | SPBasePermissions.UseClientIntegration;
SPList taxonomyHidden = rootweb.GetList("/sites/testSite/Lists/TaxonomyHiddenList");
taxonomyHidden.AnonymousPermMask64 = newPer;

Or better, get the Guest user's permissions on the site, and then add the additional permissions necessary:

SPBasePermissions currentPer = rootweb.RoleDefinitions.GetByType(SPRoleType.Guest).BasePermissions;
SPBasePermissions newPer = currentPer | SPBasePermissions.OpenItems | SPBasePermissions.ViewVersions | SPBasePermissions.Open | SPBasePermissions.UseClientIntegration;
SPList taxonomyHidden = rootweb.GetList("/sites/testSite/Lists/TaxonomyHiddenList");
taxonomyHidden.AnonymousPermMask64 = newPer;

Note that the code above uses the C# or operator (pipe) to assign mulitple permissions to the permission set. Run the code against the site collection in question and the 403 error would be fixed.

When the Ribbons block webpart picker...

On customized SharePoint pages, particularly Search Center pages, very often you end up with something like this when trying to add web parts to the page:

Notice that some of the webparts and categories are blocked by the Ribbon. If the one you want is blocked, first add any one that's clickable, then click on Edit Web Part in the newly added webpart, once the Edit Panel shows up, click on the Add a Web Part link again, now the webpart picker control shows below both the Ribbon bar and the header bar:

Nothing is being blocked anymore. Add the webpart(s) you desire, and delete the very first one that you added in previous step if it's not needed.

SharePoint anonymous access permission

Came across a good explanation on what exact permissions that SharePoint anonymous access has:

"In SharePoint, anonymous users' rights are determined by the Limited Access permission level. Limited Access is a special permission level that cannot be assigned to a user or group directly. The reason it exists is because if you have a library or subsite that has broken permissions inheritance, and you give a user/group access to only that library/subsite, in order to view its contents, the user/group must have some access to the root web. Otherwise the user/group will be unable to browse the library/subsite, even though they have rights there, because there are things in the root web that are needed to render the site or library. Therefore, when you give a group permissions only to a subsite or library that is breaking permissions inheritance, SharePoint will automatically give Limited Access to that group or user on the root web.

......If you want to see what rights Limited Access is composed of in your site, go to http://SERVER/_layouts/role.aspx and click on Limited Access. "

For more descriptions, see the original post
http://blogs.msdn.com/b/ecm/archive/2007/05/12/anonymous-users-forms-pages-and-the-lockdown-feature.aspx