I'm facing the following problem:
I added a custom list setting, which is shown under the general settings of any list. The link in the general settings redirects to an aspx-Site where the admin can set some settings.
The normal users without the right permissions can't see the list-settings (which is correct) but they can open the aspx-site by calling the URL directly and change the values I store in the property-bag of the list.
The aspx-Site seems to inherite the permissions from the root, but I need it to have the exect same permissions I have for the list-setting page.
Does anyone know how to do that?
Thanks in advance!!
I found a solution myself.
I check the permissions in the code behind:
if (!list.DoesUserHavePermissions(SPBasePermissions.ManageLists))
And I added this to the Elements.xml:
Rights="ManageLists"
Now the user isn't able to see the page unless he has the ManageList permission.
Maybe this will help somebody else later.
Thanks!