SharePoint Internals – Hristo Pavlov’s Blog

10 July, 2008

Be careful when manipulating your SPWeb’s RoleAssignments

This is an interesting “feature” of the SharePoint 2007 permission model that I came across today. Well imagine you have a site and a couple of lists in your site and all of them have unique permissions. If you check the value of the HasUniqueRoleAssignments property of the site and the lists they will all return “true“. So what does this tell you?  Well they are unique and independent and if you change the role assignments of the site this wouldn’t affect the role assignments of the lists and vice-versa, right? Well not exactly …

For a user to have any permissions granted for a list, this same user should also have site permissions granted. When you add someone as a list “Reader” for example then SharePoint will also add “Limited Access” permissions for the same user at the site level. SharePoint will create a new SPRoleAssignment at the site level, or will use an existing one if this user already has any permissions defined at the site level, and then will add a “Limited AccessSPRoleDefinition to the role assignment. It will do this without asking you or telling you about it.

Now if you decide to delete the role assignment for this user at the site level, guess what will happen? Well SharePoint will also delete the role assignment for the same user in all lists that have (not so) unique role assignments. And this means deleting any and all permissions granted to this user in any of the lists. Again it will not ask you and will not tell you it has done it. It would have been nice if there was an exception thrown but there isn’t.

So what this means for you. Well if you are dealing with permissions and you want to re-apply or change the site level permissions then if you were thinking about first removing all role assignments and then re-adding them this will actually also delete all role assignments from all lists in this site even if those lists have unique role assignments. So if that’s not what you expected how to get around it? Well instead of removing all the role assignments at the site level, just remove the role definition bindings from each of the role assignments:

foreach (SPRoleAssignment roleAssignment in web.RoleAssignments)

{

    roleAssignment.RoleDefinitionBindings.RemoveAll();

    roleAssignment.Update();

}

Doing so will NOT delete the “Limited Access” role definition binding from the site role assignments and your list permissions will remain untouched. Actually SharePoint doesn’t allow you to add or remove “Limited Access” permission directly and manages this internally.

4 Comments »

  1. […] Be careful when manipulating your SPWeb’s RoleAssignments […]

    Pingback by Links (7/10/2008) « Steve Pietrek - Everything SharePoint — 11 July, 2008 @ 12:30 am

  2. The same thing goes for folders – deleting the SPRoleAssignment for a folders SPListItem object (also ISecurable) will also remove all of a user’s roles for the subfolders.

    This is how to identify the “Limited Access” SPRoleDefinition (and leave it there).
    (role_def.Type == SPRoleType.Guest && (role_def.BasePermissions != SPBasePermissions.FullMask))

    I’m not sure the code you have there will work for folders -> I kept getting and error saying “You cannot add a role assignment with an empty SPRoleDefinitionBinding collection to the object” or something like that.

    My workaround was to:

    A if there is already an SPRoleAssignment for the user then I
    1.Go through the RoleDefinitionBindings collection and remove all except limited access
    2.If I have some new role to add, add it now.
    3.If I added some roles or there was limited access do Update. otherwise remove the role assignment

    B if there is no SPRoleAssignment – create a new one for the user.

    SPUser current_user; //assuming you have a user object
    SPListItem folder_item; // assuming you have the SPListItem object for the given folder
    SPRoleDefinitionBindingCollection nove_role_def = new SPRoleDefinitionBindingCollection(); // add some roles to this.. or add specific roles later.

    SPRoleAssignmentCollection roles = folder_item.RoleAssignments;

    SPRoleAssignment role_for_current_user = null;
    bool is_previous_role = false;
    for (int i = 0; i < roles.Count; i++)
    {
    SPRoleAssignment role = roles[i] as SPRoleAssignment;

    if (role.Member.ID == ((SPMember)current_user).ID)
    {
    if (!is_previous_role)
    {
    is_previous_role = true;
    bool role_is_not_empty = false;
    bool is_limited = false;
    //role.RoleDefinitionBindings.RemoveAll();
    for (int j = 0; j < role.RoleDefinitionBindings.Count; j++)
    {
    SPRoleDefinition role_def = role.RoleDefinitionBindings[j];
    if (role_def.Type == SPRoleType.Guest && (role_def.BasePermissions != SPBasePermissions.FullMask))
    is_limited = true;
    else
    {
    role.RoleDefinitionBindings.Remove(j);
    j–;
    }
    }

    foreach (SPRoleDefinition role_def in new_role_defs)
    {
    role_is_not_empty = true;
    role.RoleDefinitionBindings.Add(role_def);
    }

    if (role_is_not_empty || is_limited)
    role.Update();
    else
    {
    roles.Remove(i);
    i–;
    }

    }
    else
    {
    roles.Remove(i);
    i–;
    }
    }
    }

    if (!is_previous_role)
    {
    bool role_is_not_empty = false;
    role_for_current_user = new SPRoleAssignment(
    current_user.LoginName,
    current_user.Email,
    current_user.Name,
    current_user.Notes);
    role_for_current_user.RoleDefinitionBindings.RemoveAll();
    foreach (SPRoleDefinition role_def in new_role_defs)
    {
    role_is_not_empty = true;
    role_for_current_user.RoleDefinitionBindings.Add(role_def);
    }
    if (role_is_not_empty)
    roles.Add(role_for_current_user);
    }
    }

    Comment by =8)-DX — 6 August, 2008 @ 11:07 am

  3. […] This post was mentioned on Twitter by cube_ice, Ted Spalding. Ted Spalding said: Be careful when manipulating your SPWeb’s RoleAssignments… http://is.gd/7Zin6 […]

    Pingback by Tweets that mention Be careful when manipulating your SPWeb’s RoleAssignments « SharePoint Internals – Hristo Pavlov’s Blog -- Topsy.com — 9 February, 2010 @ 9:08 am


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: