Thursday, June 28, 2007

Dependencies in Custom SharePoint Permissions

An event handler I have written applies item-level permissions to modified list items - specific users are granted custom permissions.

This was working fine until I enabled versioning on the list manipulated by the handler. After making that change I noticed that the specific users were now seeing the access denied page in SharePoint when attempting to view items with the managed permissions.

The code was assigning SPBasePermissions.EditListItems and SPBasePermissions.ViewListItems rights for the users. After experimenting in the Edit Permissions Level administrative page in the site settings, I noticed that checking certain boxes caused other boxes to be checked - there are clearly some dependencies behind the scenes that should be applied when assigning custom permissions.

The outcome of the experimenting was that with versioning enabled on the list, the view versions permissions was required. Edit rights on an item will be granted to a user by applying the following set of SPBasePermissions to the role definition:

SPBasePermissions.EditListItems SPBasePermissions.ViewListItems SPBasePermissions.OpenItems SPBasePermissions.ViewVersions SPBasePermissions.ViewPages SPBasePermissions.Open

Viewing rights are granted with the same set, minus the EditListItems member.

No comments: