Solved

Web Part Permissions?

Posted on 2010-08-12
8
643 Views
Last Modified: 2012-05-10
Greetings!

I have a question that I have tried to search for an answer to, but so far haven't found anything to help yet.

I have two web parts, to which I'll post the code below in their own posts (to keep things clean).

One web part queries the web application that the page being viewed is currently in, and displays all of the groups that the current user is a member of, as well as the URL to the site that the group exists on.  I'll call it "Query User" web part.

The other web part, is a basic "hello world" web part that allows you to change the text (from "hello world" to whatever you want), as well as the color of the text.  Very simple, but I used a webcast from Microsoft to do it because I didn't understand the get/set methods and what they were supposed to do.

Anyway, the problem is this:
I have the three default groups on my test site: Owners, Members, Readers, as well as Site Collection Administrators for my site collection.  So, I add myself to the Owners group (but I am not a Site Collection Administrator).

I can browse to my site, and add the "hello world" web part to the page, change the text, and change the color.  Everything works fine there.  I tried it on Owners, Members, and Readers, and the site displays (although Readers cannot change the web part attributes since they cannot edit the page).

So now my current membership is only "Owners", and I go to add my "Query User" web part to the page...it starts thinking...and then I get "Access Denied".  So, I remote desktop into my VM, and log in with the "SP Admin" account that I created, and browse to my site.  Voila!  There it is, my web part, displaying exactly what it should be showing.

I then added myself as a Site Collection Administrator (by using the service account on the remote-desktop), went back to my normal pc, and tried browsing to the site...and it worked.

So what it comes down to, is that I have two web parts:
Hello World Web Part - can be put on the page, and the page can be seen by ALL users regardless of permission.
Query User Web Part - requires Site Collection Administrator permissions to even view the site, once this web part is added to a page.


Does anyone know why it does this, and what I have to do to fix it?  I'd like other people to be able to use this web part (once I'm done with it, I have more ideas for it but first i want to get this sorted), however I don't want to add everyone to the site collection administrators group, as that's very insecure.
0
Comment
Question by:ThatSharepointGuy
  • 6
  • 2
8 Comments
 
LVL 6

Author Comment

by:ThatSharepointGuy
ID: 33422226
Here is the code for the "Query User" web part.

using System;
using System.Web;
using Microsoft.SharePoint;
using Microsoft.SharePoint.Administration;
using Microsoft.SharePoint.Portal;

namespace My.SharePoint.WebParts
{
    // Inherit from Microsoft.SharePoint's WebPart, not System.Web.UI.WebControls'
    public class GetCurrentUser : Microsoft.SharePoint.WebPartPages.WebPart
    {
        protected override void Render(System.Web.UI.HtmlTextWriter writer)
        {
            // Get contextual reference to the current SPWeb
            SPWeb currentWeb = SPContext.Current.Web;

            // Create HTML table to display information returned
            writer.Write("<table width='100%' cellpadding=5 cellspacing=1 bgcolor='silver'>");
                    writer.Write("<tr align='center'  bgcolor='white'>");
                        writer.Write("<th align='center' bgcolor='white'>Group Name</th>");
                        writer.Write("<th align='center' bgcolor='white'>URL</th>");
                    writer.Write("</tr>");


            // Set current web applicatoin.
            SPWebApplication webApp = SPContext.Current.Site.WebApplication;


            // SPSiteCollection siteCollections = webApp.Sites;
                foreach (SPSite siteCollection in webApp.Sites)
                {
                    int skip = 0;
                    if (System.Text.RegularExpressions.Regex.IsMatch(siteCollection.Url, "/personal/")) { skip = 1; }
                    if (System.Text.RegularExpressions.Regex.IsMatch(siteCollection.Url, "8001")) { skip = 1; }
                    if (System.Text.RegularExpressions.Regex.IsMatch(siteCollection.Url, "/ssp/")) { skip = 1; }
                    if (skip == 1)
                    {
                        // Do nothing, Do not display personal sites, MySite, or SSPs
                    }
                    else
                    {
                        // Process current site collectoin
                        foreach (SPWeb oWeb in siteCollection.AllWebs)
                        {
                            SPUser user = oWeb.CurrentUser;
                            SPGroupCollection groupCollection = user.Groups;
                            foreach (SPGroup group in groupCollection)
                            {
                                // display a new row for each group
                                writer.Write("<tr align='center' bgcolor='white'>");
                                    writer.Write("<td align='center' bgcolor='white'>" + group.Name + "</td>");
                                    writer.Write("<td align='center' bgcolor='white'>" + oWeb.Url + "</td>");
                                writer.Write("</tr>");
                            }
                        }
                    }
                }
                writer.Write("</table><br/>");
//            }
        }
    }
}

Open in new window

0
 
LVL 6

Author Comment

by:ThatSharepointGuy
ID: 33422232
Here is the code for the Hello World web part.

using System;
using System.Runtime.InteropServices;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Xml.Serialization;

using Microsoft.SharePoint;
using Microsoft.SharePoint.WebControls;
using Microsoft.SharePoint.WebPartPages;

using System.ComponentModel;
using System.Drawing;

namespace HelloWorldWebPart
{
    [Guid("b59c21d9-7738-4fbb-8da7-beefaa3dce20")]

    public class HelloWorld : System.Web.UI.WebControls.WebParts.WebPart
    {
        public HelloWorld()
        {
        }

        private KnownColor _textColor = KnownColor.Black;

        [WebBrowsable(true),
        Personalizable(PersonalizationScope.User),
        WebDescription("Hello World Text Color"),
        Category("Hello World"),
        WebDisplayName("Text Color")]
        public KnownColor TextColor
        {
            get { return _textColor; }
            set { _textColor = value; }
        }

        private string _helloWorldText = "Hello SharePoint!";

        [WebBrowsable(true),
        Personalizable(PersonalizationScope.User),
        WebDescription("Hello World Text"),
        Category("Hello World"),
        WebDisplayName("Text")]
        public string HelloWorldText
        {
            get { return _helloWorldText; }
            set { _helloWorldText = value; }
        }

        protected override void CreateChildControls()
        {
            base.CreateChildControls();

            if (string.IsNullOrEmpty(HelloWorldText))
            {
                HelloWorldText = "Hello SharePoint!";
            }

            //TODO: add custom rendering code here.
            Label label = new Label();
            label.Text = HelloWorldText;
            label.ForeColor = Color.FromKnownColor(TextColor);
            this.Controls.Add(label);
        }
    }
}

Open in new window

0
 
LVL 6

Author Comment

by:ThatSharepointGuy
ID: 33422245
I'm hoping that someone will have an idea of why this happens, and how to fix it, as Google, MSDN, and the SDK haven't shown me anything of use yet.

When I go to the Web Part Gallery and look at permissions, they are the same.  
0
 
LVL 51

Expert Comment

by:Ted Bouskill
ID: 33433374
A web part cannot bypass built in security restrictions.  The ability to 'Query' Sharepoint is restricted to people with the highest level permissions within the API even it it's only about themselves.

Sharepoint's permission model isn't always perfect however they are trying to prevent users from creating web parts that could see far more than they should.

Have you downloaded the WSS and Sharepoint SDK's.  They both have different types of documentation to thoroughly cover the API.  I'm sure there is another mechanism to query Sharepoint without using the low level Site Collection access you are attempting.

Have you considered using Search?  The search API is actually an excellent way to gather data like this behind the scenes in Sharepoint because it manages the permissions for you.  I've seen an entire Sharepoint site that uses search to dynamically build all it's content even for navigation.
0
DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

 
LVL 6

Author Comment

by:ThatSharepointGuy
ID: 33456054
Thank you for replying, tedbilly!

If you are talking about using Search (programmatically), what would be the difference between that, and this (what I posted above).  For instance, one of the main things i wanted to do to "get my feet wet" with SharePoint's development side, was to create a web part to show a list of site collection administrators on each site.  However, not everyone that will view this list will BE a site collection administrator.  I might restrict it to just display for the current site, so people know who they are, etc, and can contact them...but normal users will have Contribute permissions at most, so they won't be able to access their page if I throw my web part on there.
0
 
LVL 51

Accepted Solution

by:
Ted Bouskill earned 500 total points
ID: 33458278
Hi

The biggest difference is a custom search web part is actually a very powerful and useful skill and it will solve the security trimming for you.

The technique you are using to scan for user information is brute force, if you want to learn the API then please review the SDK's.  There are valid methods to execute permissions that don't require iterating through the web sites.

Plus, Sharepoint has security issues (by design and bugs) so that a child site cannot ask for information about a parent site.  So your web part would only work with child sites.

Focus on the basics, like how to deploy a web part and understand the features already available.  That will lead to understanding what the API can do.
0
 
LVL 6

Author Comment

by:ThatSharepointGuy
ID: 33458734
Greetings Tedbilly!

Thank you very much for the explanation.  It turns out that my brain was misplaced, and that I haven't actually seen the SDK...I thought the SDK = MSDN.  I'll have to download that and take a look at it.  Hopefully, it has a well thought out "plan" (learn this, then learn this, etc, etc).  

Thanks again, Tedbilly!
0
 
LVL 6

Author Closing Comment

by:ThatSharepointGuy
ID: 33649800
Thank you for the very encouraging information to help my journey as an expert in SharePoint!  You're great, TedBilly!  
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We had a requirement to extract data from a SharePoint 2010 Customer List into a CSV file and then place the CSV file into a directory on the network so that the file could be consumed by an AS400 system. I will share in Part 1 how to Extract the Da…
I thought I'd write this up for anyone who has a request to create an anonymous whistle-blower-type submission form created using SharePoint 2010 (this would probably work the same for 2013). It's not 100% fool-proof but it's as close as you can get…
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
Many functions in Excel can make decisions. The most simple of these is the IF function: it returns a value depending on whether a condition you describe is true or false. Once you get the hang of using the IF function, you will find it easier to us…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now