If you are building a custom Web Part to upload document to SharePoint Document Library, then you need to validate user’s base permission so that unauthorised user can’t perform upload. You can’t validate based on their permission levels since at anytime base permissions of any permission level can be changed by administrator. Plus, in object model there is no specific method to get the permission level or what permission level assigned to a group or a user.
This article describes how to perform document upload to SharePoint and validate user base permissions so that only authorized users are able to perform the upload.
In SharePoint, the out-of-the-box permission level allowed user with "Contribute" permission level or higher (i.e. "Full Control", "Design", "Manage Hierarchy" and "Approve") to upload document to SharePoint. The following code displays the base permissions for each permission level:
SPSite oSite = new SPSite("http://examplesite");
SPWeb oWeb = oSite.OpenWeb();
SPRoleDefinitionBindingCollection usersRoles = oWeb.AllRolesForCurrentUser;
foreach (SPRoleDefinition roleDefinition in usersRoles)
retVal += roleDefinition.BasePermissions.ToString() + " | ";
System.Diagnostics.Debug.WriteLine(retVal);
“Full Control” permission level:
- FullMask
- OR SPWeb.UserIsWebAdmin = TRUE
“Design” permission level:
- ViewListItems | AddListItems | EditListItems | DeleteListItems | ApproveItems | OpenItems | ViewVersions | DeleteVersions | CancelCheckout | ManagePersonalViews | ManageLists | ViewFormPages | Open | ViewPages | AddAndCustomizePages | ApplyThemeAndBorder | ApplyStyleSheets | CreateSSCSite | BrowseDirectories | BrowseUserInfo | AddDelPrivateWebParts | UpdatePersonalWebParts | UseClientIntegration | UseRemoteAPIs | CreateAlerts | EditMyUserInfo
“Manage Hierarchy” permission level:
- ViewListItems | AddListItems | EditListItems | DeleteListItems | OpenItems | ViewVersions | DeleteVersions | CancelCheckout | ManagePersonalViews | ManageLists | ViewFormPages | Open | ViewPages | AddAndCustomizePages | ViewUsageData | CreateSSCSite | ManageSubwebs | ManagePermissions | BrowseDirectories | BrowseUserInfo | AddDelPrivateWebParts | UpdatePersonalWebParts | ManageWeb | UseClientIntegration | UseRemoteAPIs | ManageAlerts | CreateAlerts | EditMyUserInfo | EnumeratePermissions
OR SPWeb.UserIsWebAdmin = TRUE
“Approve” permission level:
- ViewListItems | AddListItems | EditListItems | DeleteListItems | ApproveItems | OpenItems | ViewVersions | DeleteVersions | CancelCheckout | ManagePersonalViews | ViewFormPages | Open | ViewPages | CreateSSCSite | BrowseDirectories | BrowseUserInfo | AddDelPrivateWebParts | UpdatePersonalWebParts | UseClientIntegration | UseRemoteAPIs | CreateAlerts | EditMyUserInfo
“Contribute” permission level:
- ViewListItems | AddListItems | EditListItems | DeleteListItems | OpenItems | ViewVersions | DeleteVersions | ManagePersonalViews | ViewFormPages | Open | ViewPages | CreateSSCSite | BrowseDirectories | BrowseUserInfo | AddDelPrivateWebParts | UpdatePersonalWebParts | UseClientIntegration | UseRemoteAPIs | CreateAlerts | EditMyUserInfo
“Read” permission level:
- ViewListItems | OpenItems | ViewVersions | ViewFormPages | Open | ViewPages | CreateSSCSite | BrowseUserInfo | UseClientIntegration | UseRemoteAPIs | CreateAlerts
and for "Site Collection Administrator" user, base permission as follows:
- FullMask
- OR SPWeb.UserIsSiteAdmin= TRUE
To validate whether user access rights to upload document to SharePoint, the following conditions shall be used:
- SPWeb.UserIsSiteAdmin = TRUE OR
- SPWeb.UserIsWebAdmin = TRUE OR
- AddListItems is exist OR
- EditListItems is exist OR
- ApproveItems is exist OR
See code below for details:
public static void IsUserBasePermissionValidToUpload(SPWeb oWeb)
{
try
{
if (oWeb.Exists)
{
// If user is site collection administrator or admin
if (oWeb.UserIsWebAdmin || oWeb.UserIsSiteAdmin)
return;
// Get roles for current user
SPRoleDefinitionBindingCollection usersRoles = oWeb.AllRolesForCurrentUser;
// Validate if user has rights to upload document
foreach (SPRoleDefinition roleDefinition in usersRoles)
{
if (roleDefinition.BasePermissions.ToString().Contains(SPBasePermissions.FullMask.ToString())
|| roleDefinition.BasePermissions.ToString().Contains(SPBasePermissions.AddListItems.ToString())
|| roleDefinition.BasePermissions.ToString().Contains(SPBasePermissions.EditListItems.ToString())
|| roleDefinition.BasePermissions.ToString().Contains(SPBasePermissions.ApproveItems.ToString()))
return;
}
// If user has invalid rights, then throw exceptions
throw new Exception("Unauthorised to upload document to SharePoint Document Library. " +
"You are currently signed in as: " + oWeb.CurrentUser.LoginName);
}
}
catch (Exception ex)
{
throw ex;
}
}
No comments:
Post a Comment