Fix Mysterious 403 Forbidden error on SharePoint anonymous sites

While there're possibly many other permission related causes for the HTTP Status Code 403 Firbidden error on SharePoint anonymous sites, one in particular is very elusive and puzzling. If a page access terms from the metadata store, e.g. trying to get the Label of a TaxonomyFieldValue off a list item, it results in the 403 error.

The problem, as many people have pointed out, is that every site collection stores the metadata in its own hidden list called "TaxonomyHiddenList". It's at /Lists/TaxonomyHiddenList/allitems.aspx. This list by default has Anonymous access turned on:




However, something's missing but the UI's not showing. By simply click the OK button on the page above, it fixes the 403 erorr on pages that access the metadata in the site collection. So what does clicking the OK button actually do?

Behind the scene, the Anonymous Access of the list has only one permission: ViewListItems. When the OK button is clicked, it addes four more permissions to the permission set: OpenItems, ViewVersions, Open, UseClientIntegration. Apparently when reading TaxonomyFieldValue of a list item, some of these additional permissions are required.

In addition to manually click the OK button to fix the problem for a site collection, the following code snippet can fix the problem in the code:

SPBasePermissions newPer = SPBasePermissions.ViewListItems | SPBasePermissions.OpenItems | SPBasePermissions.ViewVersions | SPBasePermissions.Open | SPBasePermissions.UseClientIntegration;
SPList taxonomyHidden = rootweb.GetList("/sites/testSite/Lists/TaxonomyHiddenList");
taxonomyHidden.AnonymousPermMask64 = newPer;

Or better, get the Guest user's permissions on the site, and then add the additional permissions necessary:

SPBasePermissions currentPer = rootweb.RoleDefinitions.GetByType(SPRoleType.Guest).BasePermissions;
SPBasePermissions newPer = currentPer | SPBasePermissions.OpenItems | SPBasePermissions.ViewVersions | SPBasePermissions.Open | SPBasePermissions.UseClientIntegration;
SPList taxonomyHidden = rootweb.GetList("/sites/testSite/Lists/TaxonomyHiddenList");
taxonomyHidden.AnonymousPermMask64 = newPer;

Note that the code above uses the C# or operator (pipe) to assign mulitple permissions to the permission set. Run the code against the site collection in question and the 403 error would be fixed.