Effective – Rollup from a list in another site collection without using search – Security trimmed

If you want to rollup data in the current site collection you can use the good old content query web part and this will security trim.

If you want to rollup data from another site collection you can use the search results web part and XSLT (SharePoint 2010) or Content By Search and Display Templates (SharePoint 2013) and this will security trim.

If you want a little more precision than search provides and don’t want to or do not have the permissions to create managed properties then we can fall back on REST queries, the results of which are normally rendered using something like knockout.

You can refer to the excellent CodePlex project (https://kosp.codeplex.com/) for details of how to do this.

So what’s the problem?

If user loads you page and does not have permission to the list in the other site collection then the REST query will return a http 403 and the browser will request authentication.

Not ideal, what you probably wanted to happen is for the rollup just not to render.

So how can we work around this?

Well we can fall back to spservices.  These use the old web services of SharePoint which still work (Even in SharePoint Online and 2016) and which don’t throw a 403 if the user does not have access.

You can refer to another excellent CodePlex project (https://spservices.codeplex.com)

So how could this come together?

So how is this helping us?

  • Using SPServices means we loose a 403 if the person rendering the page does not have permission on “MyList” in “MyOtherSite”.
  • The Data Bind on Visible dependant on length greater than one will hide the rollup if the list is empty OR the user does not have permission.

Anything else?

  • For the code to work you will need the supporting libraries and JQuery – see the above referenced CodePlex projects.
  • You could add this in a content editor webpart, custom webpart or page layout.  For the latter you could wrap the function call in a <PublishingWebControls:EditModePanel runat=server id=”DisplayModeScriptPanel” PageDisplayMode=”Display”> to stop the script running in edit mode.