I have built custom Membership and Role providers. Users are some clients that belong to the company and I am using Company as a Role.
I would like to create SharePoint Group and add more companies to it (for example type of industry) and then do redirecting and security by the SPGroup.
How do I retrieve SPGroup for the current logged in user ?
I would like to this in my custom Login page so another problem is how do I retrieve SPUser or SPGroup knowing login name ?
This is what I have now:
private List GetGroupsForUser(List roleAccounts)
{
List groups = new List();
SPSecurity.RunWithElevatedPrivileges(
delegate()
{
using (SPSite site = new SPSite(SPContext.Current.Web.Site.ID))
{
SPUserCollection users = site.RootWeb.SiteUsers;
foreach (string account in roleAccounts)
{
SPGroupCollection accGroups = users[account].Groups;
foreach (SPGroup spg in groups)
{
groups.Add(spg);
}
}
}
}
);
return groups;
}
private string GetRoleManagerName()
{
foreach (KeyValuePair setting in SPContext.Current.Site.WebApplication.IisSettings)
{
if (string.IsNullOrEmpty(setting.Value.RoleManager) == false)
return setting.Value.RoleManager.ToLower();
}
return null;
}
private List GetSpAccounts()
{
List roleAccounts = new List();
string roleProviderName = GetRoleManagerName();
foreach (string role in Roles.GetRolesForUser(login.UserName))
{
roleAccounts.Add(roleProviderName + ":" + role.ToLower());
}
return roleAccounts;
}
// and now I can use it
List roleAccounts = GetSpAccounts();
List groups = GetGroupsForUser(roleAccounts);
But I have a felling that I should not have to do this manually like this. How will Target Audience work if only role is added to the group ?
Use the OwnedGroups property of the SPUser class to return the collection of groups owned by a user.
Update misunderstood the question:
Get the currently logged in user: SPContext.Current.Web.CurrentUser
Add that use to a group: SPGroup.Users.Add([username],[email],[name],[notes]);
Update, third times the charm. So you want to find out what group the user is in based on the roles they have?
It's a bit of a combination of the above two attempts at answering it:
var matched = from r in SPContext.Current.Web.CurrentUser.Roles
where r.Name = [Role]
select r.Groups;
Important note that the Roles property won't work in the next version of SharePoint!
Personally I think SPContext.Current.Web.CurrentUser.Groups would be an easier way to figure out what groups the user is in, but it ignores your role requirementment.
Related
In a public facing web app multi tenant app, I'm using ASP Identity 2.x.
I let 3rd party's e.g. non-profits/comps self-register, create and populate their own roles and users. The code below is fine, if its an intranet scenarios where everyone belongs to the same company, it does not for work multiple non-profits
The non-profits registrants (understandably so) are naming roles with the same names, i.e. Managers and Employees etc. which are common/same across the database.
How can I extend ASP Identity to separate the roles per organization in a multi-tenant fashion, can you help me understand the design and how extend this, do I need a sub-role? i.e.
what do I do to ensure roles are scoped per organization at the database, so that different org's can have the same role names?
and, what do I do at the middle tier, i.e. usermanager, role manager objects level (middle tier)
//Roles/Create
[HttpPost]
public ActionResult Create(FormCollection form)
{
try
{
context.Roles.Add(new Microsoft.AspNet.Identity.EntityFramework.IdentityRole()
{ \\ Question - can I add another level here like company??
Name = form["RoleName"]
});
context.SaveChanges();
ViewBag.ResultMessage = "Role created successfully";
return RedirectToAction("RoleCreated");
}
catch
{
return View();
}
}`
Question- When adding a role, how do I separate the role to know which Role is from Which company when I add to the user?
public ActionResult RoleAddToUser(string UserName, string RoleName)
{
ApplicationUser user = context.Users.Where(u => u.UserName.Equals(UserName, StringComparison.CurrentCultureIgnoreCase)).FirstOrDefault();
var account = new AccountController();
account.UserManager.AddToRole(user.Id, RoleName);
ViewBag.ResultMessage = "Role created successfully !";
// prepopulat roles for the view dropdown
var list = context.Roles.OrderBy(r => r.Name).ToList().Select(rr => new SelectListItem { Value = rr.Name.ToString(), Text = rr.Name }).ToList();
ViewBag.Roles = list;
return View("ManageUserRoles");
}
how do I get the list of Roles and Users for that non-profit?
public ActionResult ManageUserRoles()
{
var list = context.Roles.OrderBy(r => r.Name).ToList().Select(rr => new SelectListItem { Value = rr.Name.ToString(), Text = rr.Name }).ToList();
ViewBag.Roles = list;
return View();
}`
I'm guessing you do have some sort of TenantId or CompanyId that is an identifier to the tenant you are working with.
IdentityRole and IdentityUser are framework objects that is recommended to inherit to add your own properties. You should do just that:
public class MyApplicationRole : IdentityRole
{
public int CompanyId { get; set; }
}
public class MyApplicationuser : IdentityUser
{
public int CompanyId { get; set; }
}
You can also add reference to a company object here and link it as a foreign key. This might make your life easier retrieving company objects related to the user.
Based on the objects above I'll try answering your questions:
When roles are created you can append a CompanyId to the name as a prefix. Something like <CompanyId>#CustomerServiceRole. This will avoid name clashes. At the same time add CompanyId to the MyApplicationRole class. Prefixed identifier will avoid clashes, identifier in the object will make the roles discoverable by the company. Alternatively you can implement RoleValidator and do the validation based on unique role name within a company. But then you will have to change the code that creates user identity when users are logged in, as role ids are not stored into the cookie.
I think this is self explanatory from the previous answer:
context.Roles.Add(new Microsoft.AspNet.Identity.EntityFramework.IdentityRole()
{
CompanyId = companyId, // TODO Get the company Id
Name = companyId.ToString() + "#" + form["RoleName"]
});
Self explanatory, see code snippets above.
Depending how you link your roles to companies the query will be different. Basically you'll need to do a join between companies and matching roles based on CompanyId and then filter companies by the non-profit flag.
As we know, we can check user's permission by doing this:
using (SPWeb web = site.OpenWeb(path))
{
SPUser user = SPContext.Current.Web.CurrentUser;
string loginName = user.LoginName;
if (web.DoesUserHavePermissions(SPBasePermissions.EnumeratePermissions))
{
if (web.DoesUserHavePermissions(user.LoginName, SPBasePermissions.Open))
{
//do something
}
}
}
Here is my question, if current user doesn't have enumerate permission, how to get permissions on SharePoint object? Thanks in advance.
You can do it by opening an "admin" web instance (creating a SPSite object and passing System account's user token to it). This way you do not have to worry about whether current user has or has not got enough permission.
SPUserToken adminToken = SPContext.Current.Web.AllUsers["SHAREPOINT\\System"].UserToken;
using (SPSite adminSite= new SPSite(SPContext.Current.Site.ID, adminToken) ) {
using (SPWeb adminWeb = adminSite.OpenWeb(SPContext.Current.Web.ID)){
if (adminWeb.DoesUserHavePermissions(SPContext.Current.Web.CurrentUser.LoginName, SPBasePermissions.Open)) {
//do something
}
}
}
Of course, you better not do this on every page load as creation and disposing of SPSite/SPWeb objects is relatively expensive.
Here I have defined a function that takes a SharePoint list object, a Role type and a User.
portal : The sharepoint list or document library object.
role : RoleType provided by sharepoint like Read, Design etc.
user : user to whom you want to grant role on portal.
Hope it will help you.
public static void AssignPermissionToPortal(string portal, SPRoleType role, SPUser user)
{
try
{
// Run with elevated privileges
SPSecurity.RunWithElevatedPrivileges(delegate()
{
using (SPSite site = new SPSite(SPContext.Current.Web.Site.ID))
{
using (SPWeb web = site.OpenWeb(SPContext.Current.Web.ID))
{
web.AllowUnsafeUpdates = true;
SPList portalList = SPListHelper.GetSPList(portal, web);
portalList.BreakRoleInheritance(false);
//Add Readers on portal
SPRoleDefinition permission = web.RoleDefinitions["Read"];
if (role == SPRoleType.Administrator)
permission = web.RoleDefinitions["Full control"];
else if (role == SPRoleType.Contributor)
permission = web.RoleDefinitions["Contribute"];
else if (role == SPRoleType.WebDesigner)
permission = web.RoleDefinitions["Design"];
else
permission = web.RoleDefinitions["Read"];
// Check the user Role on site level.
SPUser roleUser = uHelper.GetUserById(user.ID);
if (roleUser != null)
{
SPRoleAssignment assignment = new SPRoleAssignment(roleUser);
assignment.RoleDefinitionBindings.Add(permission);
portalList.RoleAssignments.Add(assignment);
portalList.Update();
}
web.AllowUnsafeUpdates = false;
}
}
});
}
catch (Exception ex)
{
Log.WriteException(ex);
}
}
I am trying to add a user to an existing group from a custom login page. Right now, I have no problem getting the current user from SPWeb.CurrentUser. I can view all of this current users groups, but now I am having a problem adding this user to an existing group. I think I need to use SPRoleDefinition and SPRoleAssignment, but all I can find is how to change the permissions on a group using these classes. Does anyone know how I can add this user to a group by the groupname?
Thanks!
You can utilize this function to add user to the current site. You need to pass Group name and UserName.
public void AddUsers(string groupname, string username)
{
try
{
SPSecurity.RunWithElevatedPrivileges(delegate()
{
// Gets a new security context using SHAREPOINT\system
using (SPSite site = new SPSite(SPContext.Current.Site.Url))
{
using (SPWeb thisWeb = site.OpenWeb())
{
thisWeb.AllowUnsafeUpdates = true;
SPUser Name = thisWeb.EnsureUser(username);
thisWeb.Groups[groupname].AddUser(Name);
thisWeb.AllowUnsafeUpdates = false;
}
}
});
}
catch (Exception ex)
{
//Log error here.
}
}
Have you tried any of this?
If you're trying to add a user to a group, this should work:
SPUser currentUser = SPContext.Current.Web.CurrentUser;
SPGroup group = SPContext.Current.Web.SiteGroups["My Group Name"];
group.AddUser(currentUser);
http://msdn.microsoft.com/en-us/library/ms454048.aspx
While creating Group in sharepoint we have an option
"Send membership requests to the following e-mail address"
It is used to send membership request to the SPGroup.
But how can we set the e-mail address programmatically
I'm trying to accomplish the same thing in a feature activated event. I have found how to create the group and how to access these settings in the object model. You can use my example below. The problem is, my changes to these boolean properties of the SPGroup don't take, despite calling SPGroup.Update(). The SPGroup created still uses the default settings (membership requests are turned off).
public override void FeatureActivated(SPFeatureReceiverProperties properties)
{
SPSite site = (SPSite)properties.Feature.Parent;
{
using (SPWeb web = site.RootWeb)
{
SPGroupCollection collGroups = web.SiteGroups;
SPUser user = web.EnsureUser("DOMAIN\\username");
collGroups.Add("MySPGroupName", user, user, "MySPGroupDescription");
if (!web.AssociatedGroups.Contains(collGroups["MySPGroupName"]))
{
web.AssociatedGroups.Add(collGroups["MySPGroupName"]);
}
SPRoleAssignment assignment = new SPRoleAssignment(collGroups["MySPGroupName"]);
SPRoleDefinition def = web.RoleDefinitions.GetByType(SPRoleType.Contributor);
assignment.RoleDefinitionBindings.Add(def);
web.RoleAssignments.Add(assignment);
web.Update();
collGroups["MySPGroupName"].AllowMembersEditMembership = true;
collGroups["MySPGroupName"].AllowRequestToJoinLeave = true;
collGroups["MySPGroupName"].OnlyAllowMembersViewMembership = false;
string emailForRequests = "username#domain.com";
if (!String.IsNullOrEmpty(user.Email))
emailForRequests = user.Email;
collGroups["MySPGroupName"].RequestToJoinLeaveEmailSetting = emailForRequests;
collGroups["MySPGroupName"].Update();
}
}
}
If using SP 2013, using PowerShell you can use the following code:
$membersGroup = $siteCollection.SiteGroups["$groupName"]
$membersGroup.RequestToJoinLeaveEmailSetting = "someone#mail.com"
$membersGroup.Update()
I want to check whether a user has permissions to a site collection. But i dono how to use SPSite.DoesUserHavePermissions().
What is SPReusableAcl? How can i get it for checking the permissions of the user?
Doesn't the MSDN article (SPWeb.DoesUserHavePermissions Method (String, SPBasePermissions)) help you? The example code can be used to check whether the user has access to a site collection:
using System;
using Microsoft.SharePoint;
namespace Test
{
class Program
{
static void Main(string[] args)
{
using (SPSite site = new SPSite("http://localhost"))
{
using (SPWeb web = site.OpenWeb())
{
// Make sure the current user can enumerate permissions.
if (web.DoesUserHavePermissions(SPBasePermissions.EnumeratePermissions))
{
// Specify the permission to check.
SPBasePermissions permissionToCheck = SPBasePermissions.ManageLists;
Console.WriteLine("The following users have {0} permission:", permissionToCheck);
// Check the permissions of users who are explicitly assigned permissions.
SPUserCollection users = web.Users;
foreach (SPUser user in users)
{
string login = user.LoginName;
if (web.DoesUserHavePermissions(login, permissionToCheck))
{
Console.WriteLine(login);
}
}
}
}
}
Console.ReadLine();
}
}
}
In the sample code above you would just have to change your Site URL and the Variable permissionToCheck. SPBasePermissions has a lot of possible permissions to check against, you can see the enumeration here (SPBasePermissions Enumeration).
Actually there are a lot of tutorials on how to check some user's permissions and you are not limited to DoesUserHavePermissions, see the following Google Search.
As usual, the MSDN examples provide nice textbook examples that do not always apply to real-life scenarios.
In the context of an application page running on SharePoint 2010, from what i understand this code needs to be wrapped in a call to RunWithElevatedPrivileges and even then, as my comment implies, it seems there is an implied catch-22 in the requirements. This works for me (the LoginName is just the FBA username or "domain\user" for AD user for the site - in our case an e-mail address is used):
SPSecurity.RunWithElevatedPrivileges(delegate()
{
using (SPSite elevatedSite = new SPSite(siteCollectionUrl))
{
foreach (SPSite siteCollection in elevatedSite.WebApplication.Sites)
{
using (SPWeb elevatedWeb = siteCollection.OpenWeb())
{
bool allowUnsafeUpdates = elevatedWeb.AllowUnsafeUpdates;
bool originalCatchValue = SPSecurity.CatchAccessDeniedException;
SPSecurity.CatchAccessDeniedException = false;
try
{
elevatedWeb.AllowUnsafeUpdates = true;
// You can't verify permissions if the user does not exist and you
// can't ensure the user if the user does not have access so we
// are stuck with a try-catch
SPUser innerUser = elevatedWeb.EnsureUser(loginName);
if (null != innerUser)
{
string splogin = innerUser.LoginName;
if (!string.IsNullOrEmpty(splogin) && elevatedWeb.DoesUserHavePermissions(splogin, SPBasePermissions.ViewPages))
{
// this user has permissions; any other login - particularly one that
// results in an UnauthorizedAccessException - does not
}
}
}
catch (UnauthorizedAccessException)
{
// handle exception
}
catch (Exception)
{
// do nothing
}
finally
{
elevatedWeb.AllowUnsafeUpdates = allowUnsafeUpdates;
// reset the flag
SPSecurity.CatchAccessDeniedException = originalCatchValue;
}
}
}
}
});
SPSite.DoesUserHavePermissions(SPReusableAcl, SPBasePermissions);