Access denied error while using People picker on custom page - sharepoint

We have custom upload page for document library.
On upload page we have one people picker field,
(user can enter multiple users id)
Design for People picker
<SharePoint:PeopleEditor ID="pplApprovers" runat="server" Width="250px" Height="25px" MultiSelect="true"/>
to get emp id from people picker we use below code
public ArrayList approversArray;
public SPFieldUserValueCollection approversCollection;
try
{
SPSecurity.RunWithElevatedPrivileges(delegate()
{
ArrayList aAccount1 = new ArrayList();
approversArray= pplApprovers.Entities;
approversCollection = new SPFieldUserValueCollection();
SPUser user;
SPGroup group;
SPUser currentUser;
SPWeb web=SPControl.GetContextWeb(Context);
currentUser=web.CurrentUser;
ArrayList aAccount = new ArrayList();
aAccount = pplApprovers.Accounts;
ArrayList peEntities = pplApprovers.Entities;
approversArray = pplApprovers.ResolvedEntities;
foreach (PickerEntity entity in approversArray)
{
if (entity.EntityData["PrincipalType"].ToString() == "SharePointGroup")
{
group = web.SiteGroups[entity.Key];
approversCollection.Add(new SPFieldUserValue(web,group.ID, group.Name));
}
else
{
//handles SecurityGroup, Distribution List and User
user = web.EnsureUser(entity.Key);
approversCollection.Add(new SPFieldUserValue(web,user.ID, user.Name));
}
}
});
catch (Exception ex)
{
// Manage error event
}
and after getting this value we are inserting it in document library.
item.Item["Account Partner"]="approversCollection";
but after clicking upload button the only user who have site admin access can successfully upload the file but other user's who don't have admin access gets redirected to the
https://web/_layouts/AccessDenied.aspx
page
We tried using SPSecurity.RunWithElevatedPrivileges but got no success...
Anyone please let me know how to resolve this issue or alternate way to use people picker

Instead of using the SPContext of the web object you need to create a new site and web object under the elevated privileges.
SPWeb web=SPControl.GetContextWeb(Context)
You need to use this under your elevated permissions:
using (SPSite site = new SPSite(SPContext.Current.Web.Url))
{
using(SPWeb web = site.OpenWeb())
{
....
}
}

Related

[SharePoint 2010]Value from a User Profile custom field returns Null

In an EventReceiver I call this method GetPernNr on Item Added:
public override void ItemAdded(SPItemEventProperties properties)
{
SPSite site = properties.Web.Site;
using (SPWeb currentWeb = site.OpenWeb(properties.Web.ID))
{
.....
perNr = UserProfileUtils.GetPernNr(currentWeb, assignedTo.ToString());
.....
}
}
where assignedTo is a SPUser.
public static string GetPernNr(SPWeb web, string accountName)
{
string perNr = string.Empty;
UserProfile upUser = null;
try
{
PermissionSet ps = new PermissionSet(System.Security.Permissions.PermissionState.Unrestricted);
ps.Assert();
SPSecurity.RunWithElevatedPrivileges(delegate()
{
using (SPSite siteColl = new SPSite(web.Site.ID))
{
SPServiceContext serviceContext = SPServiceContext.GetContext(siteColl);
UserProfileManager upm = new UserProfileManager(serviceContext);
if (upm.UserExists(accountName))
{
upUser = upm.GetUserProfile(accountName);
if (upUser["PersonNumber"] != null)
{
perNr = upUser["PersonNumber"].Value.ToString();
}
}
}
});
}
catch (Exception ex)
{
..
}
finally { System.Security.CodeAccessPermission.RevertAssert(); }
return perNr;
}
It's strange, this code works when I try to get value from a default field in UserProfile (Office, Manager, etc). And also works when I call this method outside EventReceiver, but in my case, upUser["PersonNumber"].Value returns null.
Any help will be much appreciated
Did you check the custom property permission in the central admin.
Central Administration -> Edit User Profile Property -> Policy Settings
Make default privacy policy to everyone and then try.
Here is the steps for SharePoint Server 2013:
Central Admin > Application Management > Manage service applications > Your User Profile Application > Manage User
Properties
Select Edit option from property menu.
Now Under "Policy Settings":
Set Default Privacy Setting: Everyone

Check current user's permission if the user has no enumerate permission in SharePoint

As we know, we can check user's permission by doing this:
using (SPWeb web = site.OpenWeb(path))
{
SPUser user = SPContext.Current.Web.CurrentUser;
string loginName = user.LoginName;
if (web.DoesUserHavePermissions(SPBasePermissions.EnumeratePermissions))
{
if (web.DoesUserHavePermissions(user.LoginName, SPBasePermissions.Open))
{
//do something
}
}
}
Here is my question, if current user doesn't have enumerate permission, how to get permissions on SharePoint object? Thanks in advance.
You can do it by opening an "admin" web instance (creating a SPSite object and passing System account's user token to it). This way you do not have to worry about whether current user has or has not got enough permission.
SPUserToken adminToken = SPContext.Current.Web.AllUsers["SHAREPOINT\\System"].UserToken;
using (SPSite adminSite= new SPSite(SPContext.Current.Site.ID, adminToken) ) {
using (SPWeb adminWeb = adminSite.OpenWeb(SPContext.Current.Web.ID)){
if (adminWeb.DoesUserHavePermissions(SPContext.Current.Web.CurrentUser.LoginName, SPBasePermissions.Open)) {
//do something
}
}
}
Of course, you better not do this on every page load as creation and disposing of SPSite/SPWeb objects is relatively expensive.
Here I have defined a function that takes a SharePoint list object, a Role type and a User.
portal : The sharepoint list or document library object.
role : RoleType provided by sharepoint like Read, Design etc.
user : user to whom you want to grant role on portal.
Hope it will help you.
public static void AssignPermissionToPortal(string portal, SPRoleType role, SPUser user)
{
try
{
// Run with elevated privileges
SPSecurity.RunWithElevatedPrivileges(delegate()
{
using (SPSite site = new SPSite(SPContext.Current.Web.Site.ID))
{
using (SPWeb web = site.OpenWeb(SPContext.Current.Web.ID))
{
web.AllowUnsafeUpdates = true;
SPList portalList = SPListHelper.GetSPList(portal, web);
portalList.BreakRoleInheritance(false);
//Add Readers on portal
SPRoleDefinition permission = web.RoleDefinitions["Read"];
if (role == SPRoleType.Administrator)
permission = web.RoleDefinitions["Full control"];
else if (role == SPRoleType.Contributor)
permission = web.RoleDefinitions["Contribute"];
else if (role == SPRoleType.WebDesigner)
permission = web.RoleDefinitions["Design"];
else
permission = web.RoleDefinitions["Read"];
// Check the user Role on site level.
SPUser roleUser = uHelper.GetUserById(user.ID);
if (roleUser != null)
{
SPRoleAssignment assignment = new SPRoleAssignment(roleUser);
assignment.RoleDefinitionBindings.Add(permission);
portalList.RoleAssignments.Add(assignment);
portalList.Update();
}
web.AllowUnsafeUpdates = false;
}
}
});
}
catch (Exception ex)
{
Log.WriteException(ex);
}
}

Additional code required when developing custom visual web part for anonymous access?

I have a simple custom web part with three drop downs that reads from three different list. When the user tries to access this page they get prompted for password, if they don't enter any credentials they get a 401 error.
I have enabled anonymous access both in central admin and on the site itself, users can browse to the site and view it without getting prompted for password. I have made sure that anonymous user have "view" access to the lists in questions but they still can't view any page with a custom web part.
So is it a SharePoint setting or do I have to add something in my web part projects?
Thanks in advance.
Edit:
I call this method in page load and still get the same error
private void LoadImageGallery()
{
SPSecurity.RunWithElevatedPrivileges(delegate()
{
SPSite oSiteCollection = SPContext.Current.Site;
SPWebCollection collWebsites = oSiteCollection.AllWebs;
DataTable dt = new DataTable();
for (int i = 0; i < collWebsites.Count; i++)
{
using (SPWeb oWebsite = collWebsites[i])
{
if (oWebsite.Title == "People")
{
SPList peopleList = oWebsite.Lists["Pages"];
if (peopleList != null)
{
SPListItemCollection collListItems = peopleList.Items;
dt = collListItems.GetDataTable();
// Include Surname to omit default/search page
dt = collListItems.GetDataTable();
rptImageGallery.DataSource = dt;
rptImageGallery.DataBind();
}
}
}
}
});
}
I also tried with
SPSite oSiteCollection = SPContext.Current.Site;
SPWebCollection collWebsites = oSiteCollection.AllWebs;
above runwithelevated..
I set system\sharepoint to have full control in the entire site
The custom page needs to meet two requirements so that the anonymous users can access it:
it needs to inherit from the class UnsecuredLayoutsPageBase,
the property AllowAnonymousAccess needs to be overridden to return true.
For anonymous access, you have to modified your code for access List to bind drop down list as below. Add you code in SPSecurity.RunWithElevatedPrivileges Delegate method.
SPSecurity.RunWithElevatedPrivileges(delegate() {
using (SPSite site = new SPSite(web.Site.ID))
{
//ADD YOUR WEB PART Code HERE
}
});
Important: You must create SharePoint Objects in this Delegate otherwise code will not run with Admin access.

SharePoint 2010: Adding a User to a Group from code

I am trying to add a user to an existing group from a custom login page. Right now, I have no problem getting the current user from SPWeb.CurrentUser. I can view all of this current users groups, but now I am having a problem adding this user to an existing group. I think I need to use SPRoleDefinition and SPRoleAssignment, but all I can find is how to change the permissions on a group using these classes. Does anyone know how I can add this user to a group by the groupname?
Thanks!
You can utilize this function to add user to the current site. You need to pass Group name and UserName.
public void AddUsers(string groupname, string username)
{
try
{
SPSecurity.RunWithElevatedPrivileges(delegate()
{
// Gets a new security context using SHAREPOINT\system
using (SPSite site = new SPSite(SPContext.Current.Site.Url))
{
using (SPWeb thisWeb = site.OpenWeb())
{
thisWeb.AllowUnsafeUpdates = true;
SPUser Name = thisWeb.EnsureUser(username);
thisWeb.Groups[groupname].AddUser(Name);
thisWeb.AllowUnsafeUpdates = false;
}
}
});
}
catch (Exception ex)
{
//Log error here.
}
}
Have you tried any of this?
If you're trying to add a user to a group, this should work:
SPUser currentUser = SPContext.Current.Web.CurrentUser;
SPGroup group = SPContext.Current.Web.SiteGroups["My Group Name"];
group.AddUser(currentUser);
http://msdn.microsoft.com/en-us/library/ms454048.aspx

Checking permissions of a user with a site collection

I want to check whether a user has permissions to a site collection. But i dono how to use SPSite.DoesUserHavePermissions().
What is SPReusableAcl? How can i get it for checking the permissions of the user?
Doesn't the MSDN article (SPWeb.DoesUserHavePermissions Method (String, SPBasePermissions)) help you? The example code can be used to check whether the user has access to a site collection:
using System;
using Microsoft.SharePoint;
namespace Test
{
class Program
{
static void Main(string[] args)
{
using (SPSite site = new SPSite("http://localhost"))
{
using (SPWeb web = site.OpenWeb())
{
// Make sure the current user can enumerate permissions.
if (web.DoesUserHavePermissions(SPBasePermissions.EnumeratePermissions))
{
// Specify the permission to check.
SPBasePermissions permissionToCheck = SPBasePermissions.ManageLists;
Console.WriteLine("The following users have {0} permission:", permissionToCheck);
// Check the permissions of users who are explicitly assigned permissions.
SPUserCollection users = web.Users;
foreach (SPUser user in users)
{
string login = user.LoginName;
if (web.DoesUserHavePermissions(login, permissionToCheck))
{
Console.WriteLine(login);
}
}
}
}
}
Console.ReadLine();
}
}
}
In the sample code above you would just have to change your Site URL and the Variable permissionToCheck. SPBasePermissions has a lot of possible permissions to check against, you can see the enumeration here (SPBasePermissions Enumeration).
Actually there are a lot of tutorials on how to check some user's permissions and you are not limited to DoesUserHavePermissions, see the following Google Search.
As usual, the MSDN examples provide nice textbook examples that do not always apply to real-life scenarios.
In the context of an application page running on SharePoint 2010, from what i understand this code needs to be wrapped in a call to RunWithElevatedPrivileges and even then, as my comment implies, it seems there is an implied catch-22 in the requirements. This works for me (the LoginName is just the FBA username or "domain\user" for AD user for the site - in our case an e-mail address is used):
SPSecurity.RunWithElevatedPrivileges(delegate()
{
using (SPSite elevatedSite = new SPSite(siteCollectionUrl))
{
foreach (SPSite siteCollection in elevatedSite.WebApplication.Sites)
{
using (SPWeb elevatedWeb = siteCollection.OpenWeb())
{
bool allowUnsafeUpdates = elevatedWeb.AllowUnsafeUpdates;
bool originalCatchValue = SPSecurity.CatchAccessDeniedException;
SPSecurity.CatchAccessDeniedException = false;
try
{
elevatedWeb.AllowUnsafeUpdates = true;
// You can't verify permissions if the user does not exist and you
// can't ensure the user if the user does not have access so we
// are stuck with a try-catch
SPUser innerUser = elevatedWeb.EnsureUser(loginName);
if (null != innerUser)
{
string splogin = innerUser.LoginName;
if (!string.IsNullOrEmpty(splogin) && elevatedWeb.DoesUserHavePermissions(splogin, SPBasePermissions.ViewPages))
{
// this user has permissions; any other login - particularly one that
// results in an UnauthorizedAccessException - does not
}
}
}
catch (UnauthorizedAccessException)
{
// handle exception
}
catch (Exception)
{
// do nothing
}
finally
{
elevatedWeb.AllowUnsafeUpdates = allowUnsafeUpdates;
// reset the flag
SPSecurity.CatchAccessDeniedException = originalCatchValue;
}
}
}
}
});
SPSite.DoesUserHavePermissions(SPReusableAcl, SPBasePermissions);

Resources