SharePoint Malaya: Validate User Base Permissions Before Uploading Document to SharePoint Document Library

If you are building a custom Web Part to upload document to SharePoint Document Library, then you need to validate user’s base permission so that unauthorised user can’t perform upload. You can’t validate based on their permission levels since at anytime base permissions of any permission level can be changed by administrator. Plus, in object model there is no specific method to get the permission level or what permission level assigned to a group or a user.

This article describes how to perform document upload to SharePoint and validate user base permissions so that only authorized users are able to perform the upload.

In SharePoint, the out-of-the-box permission level allowed user with "Contribute" permission level or higher (i.e. "Full Control", "Design", "Manage Hierarchy" and "Approve") to upload document to SharePoint. The following code displays the base permissions for each permission level:

SPSite oSite = new SPSite("http://examplesite");
SPWeb oWeb = oSite.OpenWeb();

SPRoleDefinitionBindingCollection usersRoles = oWeb.AllRolesForCurrentUser;
foreach (SPRoleDefinition roleDefinition in usersRoles)
retVal += roleDefinition.BasePermissions.ToString() + " | ";

System.Diagnostics.Debug.WriteLine(retVal);

“Full Control” permission level:

FullMask
OR SPWeb.UserIsWebAdmin = TRUE

“Design” permission level:

ViewListItems | AddListItems | EditListItems | DeleteListItems | ApproveItems | OpenItems | ViewVersions | DeleteVersions | CancelCheckout | ManagePersonalViews | ManageLists | ViewFormPages | Open | ViewPages | AddAndCustomizePages | ApplyThemeAndBorder | ApplyStyleSheets | CreateSSCSite | BrowseDirectories | BrowseUserInfo | AddDelPrivateWebParts | UpdatePersonalWebParts | UseClientIntegration | UseRemoteAPIs | CreateAlerts | EditMyUserInfo

“Manage Hierarchy” permission level:

ViewListItems | AddListItems | EditListItems | DeleteListItems | OpenItems | ViewVersions | DeleteVersions | CancelCheckout | ManagePersonalViews | ManageLists | ViewFormPages | Open | ViewPages | AddAndCustomizePages | ViewUsageData | CreateSSCSite | ManageSubwebs | ManagePermissions | BrowseDirectories | BrowseUserInfo | AddDelPrivateWebParts | UpdatePersonalWebParts | ManageWeb | UseClientIntegration | UseRemoteAPIs | ManageAlerts | CreateAlerts | EditMyUserInfo | EnumeratePermissions
OR SPWeb.UserIsWebAdmin = TRUE

“Approve” permission level:

ViewListItems | AddListItems | EditListItems | DeleteListItems | ApproveItems | OpenItems | ViewVersions | DeleteVersions | CancelCheckout | ManagePersonalViews | ViewFormPages | Open | ViewPages | CreateSSCSite | BrowseDirectories | BrowseUserInfo | AddDelPrivateWebParts | UpdatePersonalWebParts | UseClientIntegration | UseRemoteAPIs | CreateAlerts | EditMyUserInfo

“Contribute” permission level:

ViewListItems | AddListItems | EditListItems | DeleteListItems | OpenItems | ViewVersions | DeleteVersions | ManagePersonalViews | ViewFormPages | Open | ViewPages | CreateSSCSite | BrowseDirectories | BrowseUserInfo | AddDelPrivateWebParts | UpdatePersonalWebParts | UseClientIntegration | UseRemoteAPIs | CreateAlerts | EditMyUserInfo

“Read” permission level:

ViewListItems | OpenItems | ViewVersions | ViewFormPages | Open | ViewPages | CreateSSCSite | BrowseUserInfo | UseClientIntegration | UseRemoteAPIs | CreateAlerts

and for "Site Collection Administrator" user, base permission as follows:

FullMask
OR SPWeb.UserIsSiteAdmin= TRUE

To validate whether user access rights to upload document to SharePoint, the following conditions shall be used:

SPWeb.UserIsSiteAdmin = TRUE OR
SPWeb.UserIsWebAdmin = TRUE OR
AddListItems is exist OR
EditListItems is exist OR
ApproveItems is exist OR

See code below for details:

public static void IsUserBasePermissionValidToUpload(SPWeb oWeb)
{
    try
    {
        if (oWeb.Exists)
        {
            // If user is site collection administrator or admin
            if (oWeb.UserIsWebAdmin || oWeb.UserIsSiteAdmin)
                return;

            // Get roles for current user
            SPRoleDefinitionBindingCollection usersRoles = oWeb.AllRolesForCurrentUser;
            // Validate if user has rights to upload document
            foreach (SPRoleDefinition roleDefinition in usersRoles)
            {
                if (roleDefinition.BasePermissions.ToString().Contains(SPBasePermissions.FullMask.ToString())
                    || roleDefinition.BasePermissions.ToString().Contains(SPBasePermissions.AddListItems.ToString())
                    || roleDefinition.BasePermissions.ToString().Contains(SPBasePermissions.EditListItems.ToString())
                    || roleDefinition.BasePermissions.ToString().Contains(SPBasePermissions.ApproveItems.ToString()))
                    return;
            }

            // If user has invalid rights, then throw exceptions
            throw new Exception("Unauthorised to upload document to SharePoint Document Library. " +
                "You are currently signed in as: " + oWeb.CurrentUser.LoginName);
        }
    }
    catch (Exception ex)
    {
        throw ex;
    }
}

SharePoint Malaya

Thursday, July 16, 2009

Validate User Base Permissions Before Uploading Document to SharePoint Document Library

No comments:

Search This Blog

Popular Posts

Labels

Archive

Answered Question

About

Subscribe via Email

Email address