SOLVED

Displaying an image (URL) despite item-level permissions

Copper Contributor

Hello dear community,

 

I have a SharePoint list that is configured so that each user can only see and edit the items that they have created.
Among other things, the list contains an image column.

Is it now normal that another user can view the image in the image column if he knows the image URL. Currently this is the case.
My question now is whether I have set something wrong or whether this is not to be prevented.

 

Many greetings and thanks!

 

3 Replies
best response confirmed by moritz1812 (Copper Contributor)
Solution

@moritz1812 This is by design in SharePoint as images added to image column in SharePoint are stored in Site Assets library and not in the same list where image column is being used.

 

Check this article to know more about where exactly the images are stored: SharePoint Online: All you need to know about New Image column type 

 

So, if user knows the URL of image and have access on site assets library they will be able to see the images.

If you don't want this, you would have to go to site assets library and manually break & grant permissions on image files - same as list item permissions. This will be additional step for site admins/users. Check this for detailed steps to managing permissions: Set Specific User Restrictions on certain pages. I would recommend do not change image permissions in this way if the images are not private or unless this is necessary due to some privacy/security restrictions.


Please click Mark as Best Response & Like if my post helped you to solve your issue. This will help others to find the correct solution easily. It also closes the item. If the post was useful in other ways, please consider giving it Like.

For SharePoint/Power Platform blogs, visit: Ganesh Sanap Blogs

@ganeshsanap 

 

I do have one more question:
By way of background, I am using SharePoint as a data source for a Power App.
The images in the images column should indeed be private.

The list with the images column is, as already said, set so that normal users can only see and edit their own items. I also created a separate permission level for the normal users that allows very little. Among other things, they can't see forms, views, and application pages.

moritz1812_0-1682309818445.png

(Among other things, this was removed from the permissions. )

Is there anyway someone else can get the link to someone else's image? After all, the GUID can be found out so easily, right?

 

@moritz1812 It will be difficult for normal end users to get the GUID of image from SharePoint list.

 

However if someone is expert in SharePoint or knows how to navigate through SharePoint using shortcut URLs, etc. They might be able to find out the images from site assets library if they have access to it.


Please consider giving a Like if my post helped you in any way. For SharePoint/Power Platform blogs, visit: Ganesh Sanap Blogs

1 best response

Accepted Solutions
best response confirmed by moritz1812 (Copper Contributor)
Solution

@moritz1812 This is by design in SharePoint as images added to image column in SharePoint are stored in Site Assets library and not in the same list where image column is being used.

 

Check this article to know more about where exactly the images are stored: SharePoint Online: All you need to know about New Image column type 

 

So, if user knows the URL of image and have access on site assets library they will be able to see the images.

If you don't want this, you would have to go to site assets library and manually break & grant permissions on image files - same as list item permissions. This will be additional step for site admins/users. Check this for detailed steps to managing permissions: Set Specific User Restrictions on certain pages. I would recommend do not change image permissions in this way if the images are not private or unless this is necessary due to some privacy/security restrictions.


Please click Mark as Best Response & Like if my post helped you to solve your issue. This will help others to find the correct solution easily. It also closes the item. If the post was useful in other ways, please consider giving it Like.

For SharePoint/Power Platform blogs, visit: Ganesh Sanap Blogs

View solution in original post