Right then. A custom web part is happily accessing a list using CSOM on a public facing SharePoint site. While setting up a copy of that environment I found that the web part began complaining with the error, “An error has occurred. Access denied. You do not have permission to perform this action or access this resource.” Now I’ve seen this before and recalled that there is a restriction by default when reading list items as an anonymous user when using the method getItems(camlQuery). That restriction can be removed through a few SharePoint PowerShell commands but there is additional step after allowing the method to be called. That is to check that the “Client Object Model Permission Requirement” is disabled. Let’s do this…

1. Get a reference to the Web Application
2. Check the restrictions on your web app and look for GetItems method
3. Remove GetItems method from the restricted MethodsNames
4. Update the Web Application
5. Check again to ensure the method was removed.

Here are the PowerShell Commands for each step:

$webapp = Get-SPWebApplication -Identity http://www.externalfacingsite.com
$webapp.ClientCallableSettings.AnonymousRestrictedTypes
$webapp.ClientCallableSettings.AnonymousRestrictedTypes.Remove([Microsoft.SharePoint.SPList],”GetItems”)
$webapp.Update()
$webapp.ClientCallableSettings.AnonymousRestrictedTypes

At this point, The GetItems method has been successfully unlisted from the restricted methods list. However, you still may be getting the access denied error. That could be due to a Permissions Setting for Anonymous Users.

You can update permission settings at the Web Application level or at the Site Level. For the Web Application level, let’s go back to Central Admin -> Application Management -> Manage Web Applications and select your Web App. Open Authentication Providers and select Default. Scroll down to “Client Object Model Permission Requirement.”  As long as you agree not requiring “Use Remote Interfaces permission” go ahead and disable the permission.

To update the Site permissions, go to Site Settings and Site permissions. Look at the Anonymous Access in the Ribbon. Make sure that Require Use Remote Interfaces permission is disabled (see screenshot). Now anonymous users will be able to see data via the web part without an access denied error.

A couple of tips that I gleaned while writing PowerShell scripts:

1. To write output to a file, use the “Write-Output” command like this: “Write-Output $log_text” and when executing the script, pipe the output to a file like so:

PS C:\> psscripts\coolscript.ps1 | Out-File C:\psscripts\ps.log

2. Sometimes I run scripts from within the Windows PowerShell Integrated Scripting Environment (ISE) and other times from the SharePoint 2010 Management Shell.  To avoid the error of re-adding the SharePoint snapin, I use this code to check if it has already been loaded:

$powershellSnapin = “Microsoft.Sharepoint.Powershell”
if ((Get-PSSnapin -Name $powershellSnapin -ErrorAction SilentlyContinue) -eq $null )
{
Add-PsSnapin $powershellSnapin
}