Sharepoint groups and anonymous access - sharepoint

I have crated a custom site that would provide registration for new user who wold like to access my sharepoint site with asp.net membership account. When new user clicks register, i would like to send email notification about new user to all members of a particular sharepoint group. The problem is, the registration site allows anonymous access (well it has to :)) but the code (second line) that gets all the users in group redirects me to a login page:
var web = SPContext.Current.Web;
return web.Groups[groupName].Users;
I have created a new user group and set 'Who can view the membership of the group?' to everyone, but still, I can't get the groups without being logged in. Is is possible at all?

SharePoint has the ability to run code blocks using RunWithElevatedPrivileges, which runs under the identity of the SharePoint system account. If you wrap your code block above, you should be able to get the group you are referencing.
It is really important to make sure you are properly calling Dispose on your code so you are not leaving around reference to the spSite object etc. As a result, almost all RunWithElevatedPrivileges examples utilize the using construct.
More info at
http://msdn.microsoft.com/en-us/library/bb466220.aspx

When I did this before, I created a list that allowed anonymous users to create new items and then placed an alert on the list that sent notifications to the appropriate people/group. I don't remember there being any security problems sending notifications this way.

Related

Docusign consent issue with 2nd user, is duplicate of 1st working

Running into a bit of an odd issue. I assume it may be a setting somewhere?
Using the API integration for embedded forms. We have two brands, so I've made two users with the same roles. Their job is to be the sender for any embedded form for their respective brand. Their roles are both set as sender from the user settings tab.
support#brand.com
support#other-brand.com
Each user is in 2 groups, developers and their respective brand. Simply being part of developers will allow them to be assigned as the sender of any API templates. It's worth noting, these two users are identical to one another in setup, only difference being support email.
Using user 1, there are no issues, and everything works as intended. Using user 2 however, I get the error "consent required" when trying to get a JWT token?
I've gone through all and any settings I could find, but nothing seems to do what I need. Both users belong to the organization, so I'm simple confused.
Any help and direction is much appreciated.
The answer was I needed to claim the #brand URL the 2nd user was under, which had not been claimed via the application admin interface.
Consent is per user, you would need the second user to log in and navigate to the URL For consent.
If you are using the developer/sandbox/demo environment (not production) the URL you would want to set looks like this:
https://account-d.docusign.com/oauth/auth?response_type=code&scope=signature%20impersonation&client_id=<your IK>&redirect_uri=<some URL you defined for the IK>
Remember to define the redirect_uri in the Apps and Keys page in the settings page where you created the Integraiton Key and you should be good.

Sitecore website: show/hide menu items based on logged in user role

I'm building a sitecore 7.2 using asp.net MVC 5.0. The site will have login and each user will be roles.
We need to show/hide the site menu items based on logged in user Roles. The user detail and roles are stored in SAP backend.
Could someone please advise what's the best way to achieve above?
Essentially you will want to map the roles stored in your backend system to Sitecore Roles. Potentially look into creating a custom Role Provider (see in document below)
Once logged in, requests are made to Sitecore are made in context of that logged in user. Therefore if the user, or their role, does not have permission to view an Item, it will not be returned in the request. This effect means that your Menu will not display items they do not have permission to access.
You and Content Editors can control what users and roles can access via the Security Editor and view their access rights via the Access Viewer in the Content Editor.
This documents will have everything you need - http://sdn.sitecore.net/upload/sitecore6/sc61keywords/security_api_cookbook_usletter.pdf
http://sdn.sitecore.net/upload/sitecore6/securityadministratorscookbook-usletter.pdf
Its also worth noting that Sitecore's seucirty manages roles as Ors. So if one of the user's role has permission to see an Item, then the user can see it.
If you require the roles to be Ands; every role must have permission before its displayed to the user, check this post out - http://www.sitecore.net/learn/blogs/technical-blogs/john-west-sitecore-blog/posts/2015/03/require-membership-in-multiple-roles-in-the-sitecore-aspnet-cms.aspx
You need the roles for the current user from SAP? There is an Odata API for that: http://help.sap.com/saphelp_nw73ehp1/helpdata/en/4c/5bde6197817511e10000000a42189b/content.htm
You could query the API in real-time, but it would of course require a login to SAP for the current user.
Or - you could use another API and connect via a service user.

Test if a user have access to an item in SharePoint

I have a project where I have a username (but not the password) and need to check if the user can access an item. This must be on the item-level and not the web level since rights may not be inherited.
I am aware of the SPWeb.CheckPermissions but figured it will only test if the user can access the actual spweb.
Thanks
== EDIT ==
I was able to achieve this by doing this
var item = properties.ListItem;
SPUser user = SPContext.Current.Web.EnsureUser(#"domain\logonname");
item.DoesUserHavePermissions(user, SPBasePermissions.OpenItems);
My question remains a bit however. Is this possible to do via the web service api?
With SharePoint 2013 you can use the REST API to query static methods. An interesting method would be the SPUtility.GetPrincipalsInGroup. Of course you can't ask for "has open permission", but you can ask for a specific group. To query a static method refer to: Programming using the SharePoint 2013 REST service, look for the section Specifying static methods and properties as REST service URIs. Of course you would have to call the Web Service with an authenticated user and the group needs to be enabled to be enumerable by all users.

SharePoint Timer Job - Exception adding aspnet_users to security groups

I have created a custom timer job in share point 2007 which gets the list of email ids from the database and has to add it to security groups in share point.
I am getting exception "user not found" when i try to verify the user using spweb.ensureuser("emailid") or even add the user to group without verifying.
I have used web.allusers.getbyemail("emailid") as well but results in the same exception.
Also created owstimer.exe.config file with connection string and provider elements but no luck.
Any ideas?
spweb.ensureuser accepts either 1) Login of a user (not email) 2) a Display Name of a user that corresponds to some login. SharePoint has some "storages for logins" like AD or Forms Based Authentcation provider with an underlying services or a database. This means that what you use in spweb.ensureuser must already be found among your logins. you have to add users' logins to SharePoint and the emails will be uploaded automatically. if you want to use pure emails as logins you should learn about Claims Based Authentication in SharePoint and OpenIDs. There are several products which do that (I am not advertising any of'em :) ).

SharePoint Permissions

I would like to create a folder that users who do not have privileges to view the rest of the site can see. This user group would be granted access to the site, but I only want them to be able to view one particular page.
Is this possible to do without going to every single page and removing the new user group's access?
yeah, you should be able to create a new group and add the users to that list/subweb/whatever and just that. This is assuming that you didn't grant access to all users somewhere. If you did, then hopefully the default access is granted to a default user group (like sharepoint visitors) and you can alter that group to exclude the users you only want to access the limited part of the site.
If created correctly the new group shouldn't have access to the rest of the site.
If you are getting thrown off by the fact that the user/group is listed as having "Limited Access" on the ACLs on, say, the parent site/web. That's just a placeholder SharePoint uses to make sure people have access to at least the bare minimum set of objects (e.g. theme and other UI files and the parent web itself) to get to the list or item you actually want them to have access to.
As long as the group only has access on a single list, you should have to worry about them having access to anything else.

Resources