Windows LiveWindows Live
 
 
Daniel's profileDaniel Larson's Develope...BlogListsGuestbookMore Tools Help

Blog
    October 03

    SharePoint: Does the user have permissions?

    A common task in SharePoint programming is writing security code. One of the great things about the object model is that it is security trimmed, so you can usually just ask for items that the user has permissions for. However, there may be items that the user can access but the user still doesn't have access to perform a specific task-- which is a great reason to check for permissions before attempting an operation. I'm pretty sure I've blogged about this before... but I've heard this question several times lately.

    To check for permissions on an item, the SPSecurableItem interface defines 2 methods for checking security. The DoesUserHavePermissions method returns a bool speccifying if the user can access the item, where the CheckUserHasPermissions method will throw a security exception, which causes a 401 http status if the current SPSite's CatchAccessDeniedException property isn't set to false. Also note that you call these using the SPBasePermissions value which specifies the task you want to check permissions for-- and you don't use the overloaf

    The following sample shows how to check permissions on the SPWeb level:

    SPWeb web = SPContext.Current.Web ;
    if (web.DoesUserHavePermissions(SPBasePermissions.ViewListItems){
      // do something, like Enumerate lists
    }

    The SPList is also an ISecurableObject, which means that you can apply the same principles
    to check permissions on lists. To check the user’s permission to view list items within a
    specific list, call the list’s DoesUserHavePermissions method as follows:
    foreach(SPList list in web.lists){
      if (list.DoesUserHavePermissions(SPBasePermissions.ViewListItems))
         { /* Process the list */ }
    }

    Likewise, the same method is available in other objects, such as the SPListItem class, which
    can be used to ensure that the user has permissions to the item or document:
    foreach(SPListItem item in list.Items){
      if (item.DoesUserHavePermissions(SPBasePermissions.ViewListItems)) {
       {/* Process the list item */ }
     
    }

    You can also check if the anonymous user has access to an item like this, in the case where the current user is anonymous:

    if ((list.AnonymousPermMask64 & SPBasePermissions.ViewListItems) ==  SPBasePermissions.ViewListItems){
          // Do something here...
    }

    You can also get the subwebs for the calling user using the method, which will return a security trimmed collection of webs:

    SPContext.Current.Web.GetSubwebsForCurrentUser();

    3:31 PM | Blog it

    Comments (22)

    Please wait...
    Sorry, the comment you entered is too long. Please shorten it.
    You didn't enter anything. Please try again.
    Sorry, we can't add your comment right now. Please try again later.
    To add a comment, you need permission from your parent. Ask for permission
    Your parent has turned off comments.
    Sorry, we can't delete your comment right now. Please try again later.
    You've exceeded the maximum number of comments that can be left in one day. Please try again in 24 hours.
    Your account has had the ability to leave comments disabled because our systems indicate that you may be spamming other users. If you believe that your account has been disabled in error please contact Windows Live support.
    Complete the security check below to finish leaving your comment.
    The characters you type in the security check must match the characters in the picture or audio.

    To add a comment, sign in with your Windows Live ID (if you use Hotmail, Messenger, or Xbox LIVE, you have a Windows Live ID). Sign in


    Don't have a Windows Live ID? Sign up
    namewrote:
    May 24
    namewrote:
    May 24
    namewrote:
    May 24
    namewrote:
    May 24
    No namewrote:
    July 31
    No namewrote:
    July 31
    No namewrote:
    July 31
    No namewrote:
    July 31
    No namewrote:
    July 31
    No namewrote:
    July 11
    No namewrote:
    キャッシング利用においての注意点を挙げます。第一に借りる金額は必要な分だけ借りるようにしましょう。審査を通った事により、次々と必要のないお金まで借りてしまい、利息があることを忘れてしまいがちになることがあります。あくまでお金を借りていると言う事を忘れずに計画性を持ち、必要最低限の金額を借りるようにしましょう。第二に返済計画をしっかりと立てるようにしましょう。返済計画がしっかりしているのであれば、スムーズな返済ができます。収入からどれだけ月に返済が可能かを計算する事が重要だと言えます。第三に契約書の記載事項にはしっかり目を通すようにしましょう。びっしりと法律に基づく内容で書かれている事から、読む事を避けてしまいがちになりますが、トラブルが自分の身に起こった際に解決へ繋がる事があり、またキャッシングについての事項も記載されているので、契約書を把握した上で利用して下さい。最後に業者をしっかり比較してからの選択しましょう。現在ネット上では、キャッシング比較サイトが沢山あります。様々なサイトを見て回った後、最も自分に適しているサイトでキャッシング比較をしましょう。安全な業者で、尚且つ気になる金利も比較でき、自分に合った業者を発見できます。 キャッシング 多重 キャッシング 債務 キャッシング 返済 キャッシング ok キャッシング ナビ キャッシング NAVI キャッシング 条件 キャッシング オート キャッシング 借り換え キャッシング 一本化 キャッシング 優良 キャッシング おすすめ キャッシング 発行 キャッシング 種類 キャッシング 無料 キャッシング 選び ローン 低金利 ローン 実質年率 ローン 借入件数 ローン 限度額 ローン 審査 ローン 甘い ローン 即日 ローン 人気 ローン 女性 ローン パート ローン アルバイト ローン 大口 ローン まとめ ローン ブラック ローン 比較 ローン 選択 ローン 情報 ローン 事業者 ローン 車 ローン 商品 ローン ガイド ローン オンライン ローン ネット ローン スピード キャッシング 低金利 キャッシング 実質年率 キャッシング 借入件数 キャッシング 限度額 キャッシング 審査 キャッシング 甘い キャッシング 即日 キャッシング 人気 キャッシング 女性 キャッシング パート キャッシング アルバイト キャッシング 大口 キャッシング まとめ キャッシング ブラック キャッシング 比較 キャッシング 選択 キャッシング 情報 キャッシング 事業者 キャッシング 車 キャッシング 商品 キャッシング ガイド キャッシング オンライン キャッシング ネット キャッシング スピード キャッシング カード キャッシング web キャッシング 学生 キャッシング レディース キャッシング 申込 キャッシング 担保 キャッシング 無利息 キャッシング 借りる キャッシング くらべて キャッシング 保証人 キャッシング 携帯 キャッシング 時間 キャッシング 利用 キャッシング 安心 キャッシング 無職 キャッシング 専用
    May 23
    No namewrote:
    May 4
    No namewrote:
    Mar. 1
    Picture of Anonymous
    (没有名字) wrote:

    我坐在球场的三楼杭州装修公司举目四望,有一种寂寞杭州空调维修的感觉包围着我,看着灰色杭州空调拆装的天空,我杭州装修深切的感到,年轻时一串最杭州空调维修可贵的记忆已经在这雨里湿濡杭州装修公司而模糊了十几年前,我第一次到淡水寺,就杭州装饰公司为这座寺庙着迷,并不是它的老旧,杭州装饰也不是它的杭州装潢香火旺盛,而是里面疏疏散散的摆着杭州装饰公司几张简陋杭州写字楼装修我们以这种影响来衡量他们的权力。结识一帮子恶少,弄条龙来骑着玩,总之能做杭州空调维修公司事情似乎不少,这些小道士兹全都干过。

    Feb. 12
    Picture of Anonymous
    (没有名字) wrote:

    我坐在球场的三楼杭州装修公司举目四望,有一种寂寞杭州空调维修的感觉包围着我,看着灰色杭州空调拆装的天空,我杭州装修深切的感到,年轻时一串最杭州空调维修可贵的记忆已经在这雨里湿濡杭州装修公司而模糊了十几年前,我第一次到淡水寺,就杭州装饰公司为这座寺庙着迷,并不是它的老旧,杭州装饰也不是它的杭州装潢香火旺盛,而是里面疏疏散散的摆着杭州装饰公司几张简陋杭州写字楼装修我们以这种影响来衡量他们的权力。结识一帮子恶少,弄条龙来骑着玩,总之能做杭州空调维修公司事情似乎不少,这些小道士兹全都干过。

    Feb. 12
    No namewrote:
    Jan. 28
    Andy Burnswrote:
    Re: View All Site Content - in the master page, go to the LinkButton that shows the 'View all site content' link. Around it there is an SPSecurityTrimmedControl control. Change the PermissionsString element value to something like ManageWeb. You'll need to use SharePoint Designer though. But that should solve the issue.

    See:

    http://msdn2.microsoft.com/en-us/library/microsoft.sharepoint.spbasepermissions.aspx
    http://jacksonc.wordpress.com/2007/08/29/i-dont-wanna-see-all-site-content/
    Oct. 17
    Picture of Anonymous
    David Picton wrote:
    Yes, Daniel, I agree with all the points you've raised here.  But being an administrator rather than a developer who still has to spend a lot of time configuring SharePoint sites, I'd prefer to shift this conversation into an admin-targeted area. This will allow me to feel more confident and probably will make it possible for us to look at this topic from different point of view thus extracting the interesting stuff from all the points. I know, there are some that say that you shouldn't be managing SharePoint if you don't want to dig into its internals and code the functionality yourself. For me this sounds like they are going to say you shouldn't drive your car if you can't repair the fuel injection. Sounds arrogant, isn't it? The driver should drive the truck, administrator should administrate the environment he was assigned to maintain. This doesn't mean that they should not try to implement some functionality themselves if they want to and know how. But going forward I'd like to say thank you for your contribution to the community of SharePoint administrators and add some strings to what you've said. First, I'd like to say that answering to your phrase that a "common task in SharePoint programming is writing security code", I'd like to say what this in general can definitely be applied to my job as an administrator. I believe, a common task in SharePoint administration is managing security. But what to do if I am not an experienced developer? For example MOSS 2007 brought a lot of security enhancements which are hard to use based on the default administration functionality only. I used to mix the administration approaches by implementing features that use both the basic functionality and custom made ones but frankly speaking it was quite ineffective for our environment.  We maintain the environment which is probably not the most complicated environment ever built, but still it's a large environment with a gazillion items and a farm of servers running a set of intranet sites. Recently when we migrated to WSS 3.0 we added extranet site to the set of sites we maintain. OK, SharePoint added a marvelous feature to set item-level permissions that's what I could have only dreamed of before. But why on Earth it is to hard to manage? For me, the problem lies in the complexity of what SharePoint tries to expose. But should that stop us from implementing these great innovations in our environment? I think not. The only real problem is that we are slightly uninformed on the opportunities we have among the default features. We habitually use the third-party tools when it comes to managing our Windows Server environment, but most of us including me, don't think about using the same third-party tools for managing Sharepoint security. For example, one of the problems I face most frequently is finding out which accounts in our domain have which level of access permissions to which items on my site. Not so long time ago I stumbled upon a security management tool from Scriptlogic called Security Explorer. You know what? It turned out that Scriptlogic has read my mind. The tool has the feature to search for all the securable objects that have defined level of access permissions. A good example is finding out who has the ability to copy files to the library. Obviously, you have to have the Contribute permission level for the library- but how do you find out who has this permission and who doesn't? That's pretty much like auditing NTFS objects in Windows Server. You can set the auditing for whatever number of files or folders you want but go find which files have been set for auditing several months later. I am currently trialing Security Explorer and can confirm that this question is of no problem there. You just select the location, define the type of permission and you're done.
    That's all - just wanted to notify other admins like me who spent nights trying to implement something to help with permission management knowing nothing about the existence of Security Explorer. Second, I would like to hear your opinion on this topic, what do you think, what can you suggest further talking about programming or administering SharePoint security.

    Hmm. Seems like robots attacked your blog. Dunno if it's possible to add some kind of custom authentication to Live! Blogs. A good example of the situation where we definitely need the Contribute permission to be implemented.
    Oct. 10
    No namewrote:
    Oct. 6
    Jamiewrote:
    well looks like it must really be hard to turn off the computer in your head!!!
    Oct. 5
    Next >    Last >>

    Trackbacks

    The trackback URL for this entry is:
    http://daniellarson.spaces.live.com/blog/cns!D3543C5837291E93!1210.trak
    Weblogs that reference this entry
    • None