Users who have permission to the sub site but not to the top level site are getting access denied error when I use SPContext.Current.Site.SystemAccount.UserToken in my web part added to the sub site. Only after I give them read acces to the top level site they are not getting access denied error.
Can anyone please let me know where am I going wrong. Thanks.
It seems to be a normal behavior of limited access to SPContext.Current.Site.SystemAccount.UserToken for users with restricted privileges. Just image that the property SystemAccount is a member of site collection SPContext.Current.Site for which current user in sub site has no rights.
But if you wish to get SPContext.Current.Site.SystemAccount.UserToken anyway you can do it with SPSecurity.RunWithElevatedPriviliges
Related
I'm trying to get the sharepointonline userprofiles from sharepoint hostedapp by refering the below MSDN
https://dev.office.com/sharepoint/docs/general-development/how-to-retrieve-user-profile-properties-by-using-the-javascript-object-model-in
but when am trying to execute the code it throws the following error "Error: Access denied. You do not have permission to perform this action or access this resource".
In above artical they have mentioned to enter the "domainName\\userName", here am just confused whether which domain I should give either my app domain or my sharepointonline domain.
Since i tried both the domains but the issue remains same.
Anyone please advice...
Thanks in advance
You are getting access denied because your hosted app does not have to required permission to execute user profiles.
On your SharePoint Hosted App solution AppManifest.xml grant the necessary permission for your app to access. In your case it would be:
Depending on your usage you may require to grant it more than just "Read".
While permissioning the pages created in Guest site, I disable the view permission for Guest role and then log out.
Now when I try to login, I can see error message displaying permission error.
I know one of the possible way to resolve it would be firing some database query and enabling view permission for Guest role so that I can atleast log in.
However Is there any other way to resolve this ?
Also It would be nice If anyone provides the database query for this.
Thanks in advance.
One approach I found is to use Auto login functionality of liferay.
Following are the steps:
1) Add following property in portal-ext.properties
auto.login.hooks=com.liferay.portal.security.auth.CASAutoLogin,com.liferay.portal.security.auth.FacebookAutoLogin,com.liferay.portal.security.auth.NtlmAutoLogin,com.liferay.portal.security.auth.OpenIdAutoLogin,com.liferay.portal.security.auth.OpenSSOAutoLogin,com.liferay.portal.security.auth.RememberMeAutoLogin,com.liferay.portal.security.auth.SiteMinderAutoLogin,com.liferay.portal.security.auth.ParameterAutoLogin
2) Now start the server and go to
LIFERAY_IP:LIFERAY_PORT?parameterAutoLoginLogin=ADMIN_USERNAME¶meterAutoLoginPassword=ADMIN_PASSWORD
i.e in my case
localhost:8080?parameterAutoLoginLogin=test#liferay.com¶meterAutoLoginPassword=test
3)You will now be able to log in to portal and then go to control panel with /group/control_panel and modify the permission of page.
If I have windows authentication enabled, anonymous and basic disabled for an individual aspx page in iis6 and in the acl only my user (That I'm logged in as) has full permissions to that file, no other account has been added to the list.
Why do I get an 401.3 access is denied error when the credentials are correct. The credentials box just keeps appearing. I have removed inheritance from the parent directory incase there were any deny permissions, i have checked my account isn't locked and I've even tried using fiddler to see if I can find any problems but I find it confusing.
The only way I could get the page to show is by adding the everyone group into the acl which makes me think even though I have specified windows authentication,it's still using another account but i don't know which one? I tried adding the IUSR account into the acl but still no luck.
Could it be something to do with NTML and kerberos. on fiddler, it says:
WWW-Authenticate Header is present: Negotiate
WWW-Authenticate Header is present: NTLM
But I don't know if this is correct ( a bit out my league). So any tips or ideas to look at would be appreciated.
Thanks
401.3 is Unauthorized due to ACL on resource. I would run Process Monitor, reproduce the issue, and search for Access Denied. Then fix the errors by providing appropriate permissions.
http://blogs.msdn.com/b/rahulso/archive/2006/01/18/using-filemon-regmon-to-solve-quot-access-denied-quot-issues.aspx
I know it is very old but make sure these users have access to the main folder of your website:
IUSER,
Network Services
IIS_IUSERS
read and execute is enough
I want to move a page between sites from a site collection.
I am getting result as :-
Operation Failed.
Access Denied. Not enough permission.
When I login as Site administrator, I can move page between sites.
The user with contribute permission cannot move pages between sites.
Please help me for this issue...
It looks like the permission level issue.
Instead using the default permission levels (Contributor in your case, which has no rights to manage web), you should probably create a custom permission level that has permissions fits your need.
Please go read
http://office.microsoft.com/en-us/sharepointtechnology/HA101001491033.aspx
Hope it helps
James is correct, you need more permissions.
If you don´t wan´t to add those permissions to the users you could create your own "move" function that uses elevated permissions to do the copying. Things to look out for though is that you would have to "restore" the current users credentials on the createdby and modifiedby columns after the move since those will be sharepoint\system when elevated.
I am trying to replicate a production issue in my dev environment but am running into permissions issues, where a user in the "Contributor" group gets an access denied error. Furthermore, if I make this user a Site Collection administrator he still gets the same access denied error.
Why is this happening? How do I fix?
UPDATE: I do not have a problem when I log in from inside my VM in the dev environment. The problem must be that my dev environment is its own domain. So the question becomes, how can I log in from a machine not in the domain? I'd like to avoid extending the web application if possible.
UPDATE 2: By the way, I'm able to log in the site from my host OS fine when the credentials I use are of the "System Account."
Troubleshooting Access Denied errors is something that plagues me daily... so I feel your pain.
I am assuming this user is trying to access some page in SharePoint. From my experience, if even one Web Part on the page is accessing something the user does not have access to, the entire Access Denied page is shown.
One way to troubleshoot access to the SITE (not the page) is by visiting the "All Site Content" page: /_layouts/viewlsts.aspx. If they can get to this page, then it is something wrong with the page and not the site.
Next I would try exporting and then DELETING (not closing) webparts from the page to determine which one is causing the problem. Since you have a dev environment, I assume you could do another restore if things get too mucked up.
when do they get the access denied error? hitting the site?
are you sure that the user you're adding to the group is the same user you're logging in as? Sometimes if you have multiple user stores you can add different users to the group: DOMAIN\joe.user, forms:joe.user, someotheraccountstore:joe.user, etc.