aarebrot.net Frode's blog on Sharepoint and other stuff

Finding the Base Permissions of a user

Posted on November 3, 2008
VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Lately I've been working on a re-direct web part for a client. The web part should redirect the users immediately (preferably without them noticing it), and therefore a 5 second countdown is not an ideal way to go (also one of the reasons we're not just using a redirect page layout). One of the issues I came across was, if the web part redirects immediately, how do you ever go in and change the settings easily?

My first thought was to only redirect users who weren't in either of the Owner, Contributor or Web Designer groups. Of course since I'm somewhat of a rookie C# and Sharepoint developer it wasn't obviously apparent to me how to go about checking for such memberships.

The first solution I came up with was the following:

SPWeb currentWeb = SPContext.Current.Web;
if (currentWeb.UserIsSiteAdmin)
{
  // some admin message here
}
else
{
  // redirect
}
currentWeb.Dispose()

Of course this code only checks if the user is a site collection admin, so that was no good at all. After some (fruitless) googling and a lot of digging around in MSDN articles, I came up with an idea to use something like this:

string redirectUrl = "#";

SPWeb currentWeb = SPContext.Current.Web;
SPUser user = currentWeb.CurrentUser;

foreach (SPGroup roles in user.Groups)
{
  if (roles == "Group Name 1" || roles == "Group Name 2" ||roles == "Group Name 3")
    accessGranted = true; // If they do, set flag and grant them access
}
if (accessGranted)
{
  // Show users with AddAndCustomizePages a message
  this.Controls.Add(new LiteralControl("Use modify web part to change settings"));
}
else
{
  // Re-direct other users
  SPUtility.Redirect(redirectUrl, SPRedirectFlags.Default, this.Context);
}

currentWeb.Dispose();

Now this solution worked better then the first one, but it is not very flexible. If any of the groups changes names, or if additional groups are created, the web part has to be modified, rebuilt, and redeployed. After some more digging I came across RoleDefinitions and BasePermissions. With the help of these, I could write code that would redirect all users that didn't have permissions to customize web parts, regardless of their group memberships.

oSPSite = SPControl.GetContextSite(this.Context);
oSPSite.CatchAccessDeniedException = false;

using (oSPWeb = oSPSite.OpenWeb(SPContext.Current.Web.ServerRelativeUrl.ToString()))
{
  try
  {
    if (_enableRedirect && _redirectUrl != "#" && _redirectUrl != this.Page.Request.Url.ToString())
    {
      this.Controls.Add(new LiteralControl("<a href=\"" + _redirectUrl + "\">Click here if you are not redirected.</a><br>"));
      if (oSPWeb.EffectiveBasePermissions.ToString().Contains(SPBasePermissions.AddAndCustomizePages.ToString()) || oSPWeb.EffectiveBasePermissions.ToString().Contains(SPBasePermissions.FullMask.ToString()))
        this.Controls.Add(new LiteralControl("Modify web part to change re-direction settings."));
      else
        this.Page.Response.Redirect(_redirectUrl);
    }
    else
      this.Controls.Add(new LiteralControl("Redirection is disabled.<br>"));
  }
  catch (Exception ex)
  {
    Label lblError = new Label();
    lblError.Text = "An unhandled exception occurred: " + ex.Source + " : " + ex.TargetSite + " : " + ex.InnerException + " : " + ex.Message + " : " + ex.StackTrace;
    lblError.Style["color"] = "red";
    this.Controls.Add(lblError);
  }
}

oSPSite.CatchAccessDeniedException = true;
oSPSite.Dispose();

ChildControlsCreated = true;

Obviously this is just a code snippet, but if you're looking for something to help filter output or actions based on a users permissions it should give you a nudge in the right direction. Below is a list of the different Role Definitions and their respective Base Permissions.

Full Control

FullMask

Design

ViewListItems, AddListItems, EditListItems, DeleteListItems, ApproveItems, OpenItems, ViewVersions, DeleteVersions, CancelCheckout, ManagePersonalViews, ManageLists, ViewFormPages, Open, ViewPages, AddAndCustomizePages, ApplyThemeAndBorder, ApplyStyleSheets, CreateSSCSite, BrowseDirectories, BrowseUserInfo, AddDelPrivateWebParts, UpdatePersonalWebParts, UseClientIntegration, UseRemoteAPIs, CreateAlerts, EditMyUserInfo

Manage Hierarchy

ViewListItems, AddListItems, EditListItems, DeleteListItems, OpenItems, ViewVersions, DeleteVersions, CancelCheckout, ManagePersonalViews, ManageLists, ViewFormPages, Open, ViewPages, AddAndCustomizePages, ViewUsageData, CreateSSCSite, ManageSubwebs, ManagePermissions, BrowseDirectories, BrowseUserInfo, AddDelPrivateWebParts, UpdatePersonalWebParts, ManageWeb, UseClientIntegration, UseRemoteAPIs, ManageAlerts, CreateAlerts, EditMyUserInfo, EnumeratePermissions

Approve

ViewListItems, AddListItems, EditListItems, DeleteListItems, ApproveItems, OpenItems, ViewVersions, DeleteVersions, CancelCheckout, ManagePersonalViews, ViewFormPages, Open, ViewPages, CreateSSCSite, BrowseDirectories, BrowseUserInfo, AddDelPrivateWebParts, UpdatePersonalWebParts, UseClientIntegration, UseRemoteAPIs, CreateAlerts, EditMyUserInfo

Contribute

ViewListItems, AddListItems, EditListItems, DeleteListItems, OpenItems, ViewVersions, DeleteVersions, ManagePersonalViews, ViewFormPages, Open, ViewPages, CreateSSCSite, BrowseDirectories, BrowseUserInfo, AddDelPrivateWebParts, UpdatePersonalWebParts, UseClientIntegration, UseRemoteAPIs, CreateAlerts, EditMyUserInfo

Read

ViewListItems, OpenItems, ViewVersions, ViewFormPages, Open, ViewPages, CreateSSCSite, BrowseUserInfo, UseClientIntegration, UseRemoteAPIs, CreateAlerts

Restricted Read

ViewListItems, OpenItems, Open, ViewPages

Limited Access

Open, BrowseUserInfo, UseClientIntegration

For a full (alphabetically sorted) list of Base Permissions and their effects, have a look at this MSDN article.

Comments (0) Trackbacks (0)

No comments yet.


Leave a comment

 

No trackbacks yet.