Gorgo.Live.ToString()

Mariusz, Gorzoch tech Blog

A word around SharePoint security model

leave a comment »

Today I want to write a word around how I understand SharePoint security model and how to simply check, or build an solution to present list of sites where some particular user has "contribute" rights.
 
In general concept of SharePoint security model can be presented with picture shown below:
 
On the left site, we have the most granule permission which exist in SharePoint and which you cannot see. Those permission are always used when assigning some permission to some user/group (so for example if you assign contribute permission to some user/group, then in reality you assign a group of granular permissions). Going further on the middle you have some permission groups define by SharePoint team. Those permission (like “Full control”, “Design”, “Contribute”, ect..) are nothing else as a groups with gather some granular permission. Till this point, end user has no option to tweak those permission out, so if we build something based on them, we are sure that user will not break it. On the right site you have UI permission object, that is “Users” and “Groups”. Each site owner can tweak-up his site permission by assigning permission on the middle picture (blue background) to individual users or groups (and by groups to users).
 
Ok, so we know the basics now. Let use this knowlage building simple web part to present list of sites where user has "contribute" rights. As you could saw on the picture above "Contribute" right is nothing else like a group of some particular granual permission. Let declare some variable to hold list of those granual permision:
 
        public static SPBasePermissions ContributeRole = (SPBasePermissions.ViewListItems
                | SPBasePermissions.AddListItems
                | SPBasePermissions.EditListItems
                | SPBasePermissions.DeleteListItems
                | SPBasePermissions.OpenItems
                | SPBasePermissions.ViewVersions
                | SPBasePermissions.DeleteVersions
                | SPBasePermissions.ManagePersonalViews
                | SPBasePermissions.ViewFormPages
                | SPBasePermissions.Open
                | SPBasePermissions.ViewPages
                | SPBasePermissions.CreateSSCSite
                | SPBasePermissions.BrowseDirectories
                | SPBasePermissions.BrowseUserInfo
                | SPBasePermissions.AddDelPrivateWebParts
                | SPBasePermissions.UpdatePersonalWebParts
                | SPBasePermissions.UseClientIntegration
                | SPBasePermissions.UseRemoteAPIs
                | SPBasePermissions.CreateAlerts
                | SPBasePermissions.EditMyUserInfo);
 
to generate list of sites where current user has "Contribute" right we just need iterate thru all webs and check if current user has proper rights defined thru "ContributeRole" variable. You can do this like that:
 
  Dictionary<string,string> websToReturn = new Dictionary<string,string>();
  string currentUserLogin = SPContext.Current.Web.CurrentUser.LoginName;
  SPSecurity.RunWithElevatedPrivileges(delegate()
   {
    foreach (SPSite currentSite in SPContext.Current.Site.WebApplication.Sites)
    {
     foreach (SPWeb web in currentSite.AllWebs)
     {
      try
      {
       if (web.DoesUserHavePermissions(currentUserLogin, ContributeRole))
        if (!websToReturn.ContainsKey(web.Url))
         websToReturn.Add(web.Url, web.Title);
      }
      finally
      {
       if (web != null)
        web.Dispose();
      }
     }
    }
 
this peace of code will fill websToReturn dictionary collection with all sites, where our user has "Contribute" rights.
Advertisements

Written by Mariusz Gorzoch

15 July 2009 at 20:23

Posted in SharePoint

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: