How to allow READ ONLY/unauthenticated SharePoint users to add an Item in a SharePoint List using an Application Page without giving them “View Application Pages” List Permissions.

Case: I have a SharePoint Site that has a few lists, site pages, application pages etc. One of my application Page was custom coded to allow end users to add an item in a SharePoint List after successful submit a success message was showing using a popup dialog page.

My Permissions are supposed to be set so that end-users should have Read Only permissions and they should not be able to see (i.e. Site Contents to prevent them showing all SharePoint lists or document libraries) any system Pages to system and application pages except the Contact Us and popup dialog so that end users can effectively add a new item in one of the list.

Please note the solution I am describing is one of the possible. There are and can be alternatives to mine. I am merely providing the approach that I have used. My main aim is to do minimum work and get the site working with most of customization. I planned to have a permission set that can allow me to access to Site Pages, and one or more application pages that I deployed. I wanted to make sure that System and other application pages are not accessible. I also wanted end users to have site access.
Hence I have created and customized one permission set and apply it to a group on parent level hence not indulging with breaking Inheritance issues. Finally I used UnsecuredLayoutsPageBase to drive my application pages that I wanted end users to have access.

I have achieved this by following steps:

1.      I created a Permission Level as following

a.      Under List Permissions Only two permissions– Select “Add Items”, it has dependency on “View Items” so let both of them be selected.

b.      Under Site Permissions Only five permissions-> Select “View Pages”, “Browse User Information”, “Use Remote Interfaces”, “Use Client Integration Features” and “Open”.

A note, if I select "View Application Pages" then it works but problem is that you will see other application and system pages as well.

2.      I created a Group and assigned the newly created permission set to it.

4.      I opened my Application and Popup pages and change the code so that they are inherited from UnsecuredLayoutsPageBase rather than SecuredLayoutsPageBase. I also made sure that code that is actually adding an item in the list, is running with Elevated Privilege.

5.      Deploy and test.