Logo Home   Downloads   Up to Bluedog Limited
SharePoint Thoughts
A blog centered on Windows® SharePoint® Services
PermaLink to '2010: Versioning of Web Part instances '2010: Versioning of Web Part instances
Posted by Maurice Prather
One of the nicest new web part framework features in SharePoint 2010 is Web Part versioning.
 
Remember all those times you've edited a page only to misconfigure or delete a web part?  Versioning may help you unwind your mistakes, but it depends on how you are making edits.
 
How does it work?
  • Web Part instances are versioned only when a page is checked in.
  • Only Shared instances are versioned
  • Versioning is controlled by the document-level settings.

If you are editing in any of the following conditions, versioning will not occur:

  1. Editing Personalized or Personal Web Parts
  2. Editing a page that is not checked out

Under these conditions, edits occur as they always have... directly and w/o opportunity to fall back to a saved state.

As you can see Web Part versioning is really targeted toward protecting the broadest, most common usage scenarios.  If you are not checking in/out, you'll never see Web Part versioning at work.  Likewise, if you are dealing with anything other than a Shared Web Part, versioning does not occur.

What are the developer ramifications?
In it's simplicity, there nothing that you as a developer can really do.  The web part instances will either be on the page or they will not.

There is no visibility into a Web Part's history or opportunities for a Web Part to control its own destiny.  Web Part versioning is directly tied to the page history. 

The only side effect of versioning that I can foresee is the very same issue that people have with document version histories.  Each version is a complete instance/copy.  Therefore, if you are storing large amounts of data in a web part property, be aware that versioning will automatically force the user to consume more of their storage allocation.

In short, Web Part versioning is available and is really designed to be transparent to the developer and the end user.  The parts that are instantiated are completely dependent on the page version that is being rendered.

-Maurice

Posted @ 9:32 AM on Friday, October 30, 2009 | Comments:
PermaLink to '2010: Gemini... err... PowerPivot... to the rescue '2010: Gemini... err... PowerPivot... to the rescue
Posted by Maurice Prather
Are you the type of person that has ever wondered which running back has the most yards per carry on natural fields when it's raining and the wind is in their face?
 
Well, a few years ago I had an opportunity to watch, from the sidelines, as a long time friend of mine (Rob Collie) generated wicked stats like that day in day out.  His team built an Excel Services application for a now-defunct fantasy football project over in MSN. They were looking at data in all sorts of ways...
 
The beauty of it all?  It's that little thing called BI.  You can take that first sentence of mine, remove football references, add your business elements... and it's practically the same concept - looking at your data in new and exciting ways.
 
BI in 2010 is pretty amazing.  There have been a lot of improvements that will make it much easier for more people to explore their worlds.  Gemini ... and yes, I'm still having a hard time getting used to the new name ... PowerPivot will change how businesses look at their data.
 
Want to learn more about PowerPivot?
I invite you to check out Rob Collie's blog at PowerPivotPro.com.  He's one of the folks that worked on Gemini... and he's an avid football stats man... the combo is dangerous if you're in his fantasy football league ... expect his blog to be packed with some informative articles!
 
 
-Maurice
 
Posted @ 7:20 PM on Tuesday, October 27, 2009 | Comments:
PermaLink to '2010: Are you Safe Against Script?'2010: Are you Safe Against Script?
Posted by Maurice Prather
At the SharePoint conference, I had an opportunity to discuss a new feature that will affect the behavior of all Web Parts - old and new.
 
In 2010, contributor rights are being changed in 3 distinct areas:
  • Type of files that must be downloaded explicitly
  • The ability to change HTML markup in pages
  • The ability to change web part properties

These changes are being made because with the addition of the new Client Object Model, cross-site scripting (xss) becomes a major concern to the health of your SharePoint system.

That's right, the Client Object Model (CLOM) is so powerful and easy to use (imagine cut/past operations!) that XSS attacks from within the trusted membership can become a very serious matter.  To be fair, this has always been the case with contributors being able to change markup but the level of difficulty in reading/writing data to a SharePoint from the client was often seen as deterence factor.  That obviously changes if you have a client-side om designed specifically to manipulate your site.

Back to Web Parts...

The behavior of every single web part in existence is going to change.  The new default behavior for who can view/edit web part properties is to PROHIBIT contributors from viewing/editing properties.

There are two (2) mechanisms that can come into operation to prevent contributors from viewing/editing properties:

  1. New Object Model attribute: RequiresDesignerPermissionAttribute
  2. New SafeControl attribute: SafeAgainstScript

These mechanisms apply permission-based restrictions on whether a contributor can view and/or edit web part properties.

It's also worth noting that these mechanisms operate independently of each other with the Object Model attribute having the most authortity of the two.

What is the default behavior?

By default, contributors are NOT allowed to view or edit custom web part properties.  All SafeControl entries default to SafeAgainstScript=false. 

Here's two tables to help illustrate how the safeguards work to enable/disable editing by a contributor. 

In the first table, note the row with SafeAgainstScript=No.

RequiresDesignerPermission = false (or not applied)
SafeAgainstScript
Designers and higher
Contributors
Yes
Ok
Ok
No
Ok
Not Allowed

The table above basically applies to every legacy part that is simply installed on a 2010 server.  In short, your web part's use case scenarios will change.

The next table outlines how a web part built using the new Object Model attribute would operate.

RequiresDesignerPermission = true
SafeAgainstScript
Designers and higher
Contributors
Yes
Ok
Not Allowed
No
Ok
Not Allowed

Not the subtle difference in behavior.  The RequiresDesignerPermissionAttribute always forces the user to have the appropriate security permission regardless of the SafeAgainstScript attribute.

The ONLY time these mechanisms are not enforced is when a web part has been personalized and the property is scoped to the User or if the web part has been added as a Personal Web Part.

What are the impacts of the new XSS safeguard?

  1. All web parts, by default, will behave differently in 2010. 
  2. User scenarios need to be reevaluated.  If you have a web part that was specifically designed with contributor-level users in mind, investigation is needed to determine how to best enable that functionality on a 2010 server.
  3. The Sandbox does not in any way offer more protection for the XSS scenarios.  All of the rules apply for Farm and Sandboxed solutions.
  4. Developers have additional flexibility to manage who can view/edit properties based on permissions.
  5. Administrators will add "why is SafeAgainstScript=true" to their list of pre-installation validation questions.

I'll cover the other 2 contributor restrictions in coming posts.

In the meantime, start getting ready for the calls asking "how come I can't edit the properties?".  We all know those calls are going to come in...  :)

-Maurice

 

Posted @ 12:18 PM on Saturday, October 24, 2009 | Comments:
PermaLink to 'Web Part Class Resources - a forgotten storage location'Web Part Class Resources - a forgotten storage location
Posted by Maurice Prather
Over the past few months, I've had the opportunity to code review several different private and commercial products built on SharePoint.
 
One of the things that I noticed is that folks are putting Web Part related files (css, js, images, ascx) all over the place...
 
Naturally, I have to ask why...  often times, folks just dump files into the locations that seemingly make sense... for example, images often times go in "layouts/images" or any number of other layouts locations, user controls get dumped into controltemplates, sometimes they are embedded into the web part assembly, sometime they are pushed into doc libs, etc...
 
Reasonable logic but when I ask why the web part resources folder wasn't used, some folks stop and ask "what is that?"
 
So, it seems that web part resources have somewhat fallen off the radar... 
 
What are Web Part resources?  Each Web Part assembly has an opportunity to associate any number of files with itself.  This is defined in the Solution file via the ClassResource element.
 
The files will be deployed to one of two locations, depending on your installation type (GAC or bin).  The locations are nothing more than virtual directories that live on the web front ends.  The bin version (/wpresources) does not allow certain types of files to be rendered (.asax, .ascx, .ashx, .asmx, .aspx).  The GAC version (/_wpresources) is not as restrictive and pretty much available to host all page types.
 
Why is it good to put resources such as js, css, images, ascx files in the Web Part resources folder?
  • You automatically get our own storage location.  SharePoint creates a unique folder for your assembly.
  • Since it's on the file system, you get the inherent benefits of not hitting the database and automatically utilizing IIS for managing file caching and/or compression (for those instance where related files are put into sharepoint itself)
  • You don't even have to worry about the path... SharePoint gives that you.

The path is retrieved using the static method GetServerRelativeClassResourcePath that hangs off the SPWebPartManager class.

Throw your images, css, .ascx files, and whatever else you need in there!

Wait... .ascx files?  Don't user controls have to go into ControlTemplates?  Don't they have to be registered in the SafeControls list?

The answer depends on how you call the ascx files.  A lot of folks use .ascx files as templates for their Web Parts (meaning they have a shell Web Part that calls Page.LoadControl to load their ascx file).  If your Web Part directly loads the user control, then using class resources is perfectly viable opportunity.  The SafeControls list is only applied to controls that are explicitly created via page markup.  The key point to remember here is that your Web Part is SafeControl-approved because it was explicitly created and parsed as part of the page; however once the code is running, it can do anything it wants (as allowed by the CAS policy) .  Thus, loading a file off the system is perfectly valid and not routed through the SafeControls monitor.

On the other hand, if you are deploying ascx files as standalone controls then your best best continues to be controltemplates (given the location and the SafeControl entry exists).  The hard limitation here is the fact that the bin-version of wpresources does not allow .ascx files to be rendered directly (in other words, even if you had the right SafeControls entry, iis would prohibit the control from being rendered).

The next time you deploy a Web Part that has some support files, don't forget to look at ClassResources before putting files elsewhere.

-Maurice

 

Posted @ 10:41 AM on Thursday, August 06, 2009 | Comments:
PermaLink to 'A perspective on the Microsoft Certified Master program for SharePoint'A perspective on the Microsoft Certified Master program for SharePoint
Posted by Maurice Prather

I had the honor attending the Beta session (rotation 2) of the Microsoft Certified Master SharePoint Server 2007 program this past month. R2, as it was affectionately called, was the first SharePoint MCM class that was open to people outside of Microsoft. The MCM certification class is 3 weeks long.

It is hard to imagine going to class for 3 weeks. In many ways, this was the single largest educational commitment that I’ve made since graduate school. First, I needed to be firmly convinced of my personal learning potential. Then, I needed to clear my schedule at work (let alone get buyoff). And, finally, I needed to clear my schedule at home. It’s pretty hard to tell folks that you are going to be unavailable for 3 weeks. This is a crucial point that I will dive into a little bit further down.

No matter how much planning and preparation you do, start dates always arrive faster than you anticipate. March 16th was no different.

The first hour of class was pretty standard stuff – intros, logistics, and class miscellany. From the intros, it was pretty clear that everyone in the room was a SharePoint expert, most with 4-5+ years of experience with SharePoint. My teammates practically came from far and near (Germany, Holland, India, Portugal, Scotland, Sweden, Switzerland and the US) and everyone brought a different set of skills. It was a good 50/50 mix of Microsoft and external candidates. The class was extremely diversified - we had developers, instructors, consultants, service providers, support engineers, architects. In all – 16 people, each bringing knowledge to the table.

Intros were the easiest part of the course... we dove into the first subject and from then on we were all chugging along at full steam.

The course material was excellent. The Alpha team (R1) did a great job of not only piecing together a very comprehensive set of topics but, in many cases, complimenting the class material with equally good lab sessions. Each day was packed with materials, labs, and general free-form discussions. Evenings were often occupied with studying and more free-form discussions. Weekends were reserved for group study, discussions, catching up on labs, and last second test prep. (My dog Asta came along during weekends – she loved the MCM vibe!)

Life on as a MCM candidate is interesting. You will spend most of those 3 weeks in the classroom. Class starts at 8am. Lunch is 45 minutes long. Class usually came to a close around 6pm. General studying, reading, and labs would tack on a few more hours. From my perspective, class was a full day’s worth of work + some more. I would start the day around 6am and finally hit the sack somewhere around 12:30 or 1:00am. If by any chance I had the committed to the wacky idea of “work 8 hours after class”, I would have failed miserably on both ends. I barely had enough time for the class, let alone trying to juggle other things. The MCM class requires your dedicated attention.

Is it all work and no play? No. We did go out to dinner a couple of times, we met with the product team one afternoon, and not all days were jammed pack. It was nice to socialize but when it came down to it, everyone was focused. The intensity comes from the desire to be successful. The instructors and the program provide a lot of valuable information. The instructors are there to help you both broaden and sharpen your skill set. They don’t teach to the tests themselves. Knowing this, everyone can easily see that it’s their responsibility to cover everything. It’s the 4,000+ pages of suggested pre-reading materials, it’s the slide decks, it’s the labs, it’s the conversations with the instructors and your fellow teammates… in short, you have a lot of information to cover in a short period...

What about the exams? There are 3 written exams and 1 qualification lab. The written exams were thorough and often times very draining. I felt sorry for the instructors that came in for the session immediately following an exam. The qual lab was the final exam designed to test your experience with the product from a very hands on perspective. The qual lab exam was the most intense exam I’ve taken since college (for the record, AE 473 Structural Dynamics lasted over 4 hours and will probably always hold the top spot). With the exception of bio breaks and fetching some water, I didn’t leave my seat. 12 hours of SharePoint hands on testing. Brutal, I tell ya. When the time limit was hit, I think we all put down our proverbial pencils and let out a sigh – it was somewhere between relief and exhaustion. It was a long hard 3 weeks and reaching the end of the qual lab was in itself a pretty monumental task if you look at everything that you had to do from start to finish. No matter what the final individual results, everyone had done a great job.

In many ways, what I’m driving at is the MCM program is not for the faint of heart. It’s not a place to learn about SharePoint. It’s not a boot camp. If you happen to believe this course would be a good way to get some fundamentals, you’re wasting your time and money. The class is about refining and building upon your experiences. If you’ve been around me long enough, I’m sure you’ve heard me say that SharePoint is more like an ecological system; it’s not just an application. It touches on so many pieces that are within your infrastructure and it can be utilized in million different ways. The Masters class will help you learn more about SharePoint, have no doubt. More importantly, though, you will learn how to clearly understand what you don’t know so that you can be smart about not blindly neglecting something or taking the time to explore that region. That’s what makes this certification program extremely valuable.

The master certification program is a great technical program. The MCM SharePoint team (the lead, the instructors, and support staff) did a fantastic job of putting together a solid set of instructors, topics, and labs. Yes, there were some beta hiccups, but they didn’t impact the overall delivery and success of the course. Well done and thank you!

Interested in becoming a SharePoint Master? I wanted to offer some tips to those considering MCM…

  • You have to be confident in your talents across the wide spectrum that is SharePoint. This class is designed to touch on all aspects of the platform.
  • The class requires dedication. Don’t think you are going to fly home on weekends. Don’t think you can do your full time job after class. At the start of the post I mentioned that you have to clear your personal and business schedule – live by that rule. You will need the “isolation” from other daily chores.
  • Stay in a place that is close to campus. Eliminate the hassle of Seattle-area traffic.
  • The last two bullets are seemingly unrelated but can be easily overlooked – especially if you live in the area or perhaps decide you want to stay in downtown Seattle. For example, I live in Seattle – not too far from the Redmond campus. Although I had the luxury of sleeping at home, it was truly hard to remove myself from common household duties (especially one particular weekend). After all, I was still at home and it’s super hard to say “just pretend I’m not here”. This is the one area where I felt the remote students had a clear advantage. If I had to do it over again, I probably would rent an apt and ask my family to bear with my absence. Sounds kind of harsh, but juggling family and an intense class was extremely challenging. And top of all of that… I had to deal with the 520 commute
  • Work as a team with your classmates and enjoy the camaraderie. I have to say this was the one thing that really enjoyed about working with my classmates. Everyone was willing to help everyone else.
  • Bring a mouse. This is simple a speed optimization that you can leverage when it comes to time take the qual lab. I wish I had one about midway through the day... :)
  • If traveling across time zones, give yourself as much lead as possible to eliminate the jet lag. Once you dive into the deep technical stuff, it probably would be super helpful to not worry about jet lag.

It was a great experience. I’m glad to have taken the class and I have to thank my family and my teammates at ShareSquared – everyone pitched in one form or another so that I could concentrate on the MCM class free of (most) distractions.

-Maurice
Microsoft Certified Master for SharePoint 2007

Posted @ 9:55 AM on Thursday, April 23, 2009 | Comments:
(Items 1 to 5)Next
Microsoft Certified Master
MVP Logo
 
Awarded MVP SharePoint Services 3 years running!!
Are you looking for a team of SharePoint experts?
ShareSquared can help ... drop us a note.
 
 
ShareSquared, Inc.
Keyword Search
 
View by category
 
Subscribe with Bloglines

Disclaimer:
The contents of this site represent thoughts and opinions of the authors , not those of anyone else - such as past, present and future employers.  This a forum of the exchange of ideas centered on SharePoint technologies.  It is not a support channel.  :)

Copyright © 2004-2009 BluedogLimited.com. All rights reserved.