How to programatically check if a user can access a SharePoint site?

2
votes

I have a service that runs on the save server as SharePoint. I can use this service to upload/move files in document libraries on different SharePoint sites. I am now trying to check if a user (DOMAIN\USER) has permissions to access a particular SharePoint site.

I have tried using the following:

web.EnsureUser("DOMAIN\USER")
web.CheckPermissions(SPBasePermissions.Open)

The above should raise UnauthorizedAccessException if the user has no permissions. For me it never raises any exception although that user does not have permissions to access this particular site (verified by trying to access the site on the user's machine - Unauthorized 401)

web.DoesUserHavePermissions("DOMAIN\USER", SPBasePermissions.Open)

The above should return True or False, but for me it always returns False, also when the user has permissions to access a site (verified by accessing the site on the user's machine - OK 200).

web.GetUserEffectivePermissions("DOMAIN\USER")

The above should return the permissions mask, but it always returns an EmptyMask.

I think I do not understand those methods, but they are not described well anywhere on the Internet.

Does anyone know how I can check if a user has permissions necessary to access a SharePoint site?

1
.netvb.netsharepointsharepoint-2013
Just to be clear, are you using a string for the Domain\User setup or are you passing an SPUser object in? If you're using a string, are you using @ in front of it to express it as a literal rather than the \ escaping the string? - Graham
Well, actually I put a wrong tag. I am using vb for this project, so no @ necessary in front. Anyway, if the username had been invalid I would have gotten an exception from SharePoint. So, yes, everything is correct. I think those methods are used to check an explicit configuration on the SPSite level and not to check the actual permissions for the user (i.e. I can see that a group has contribute permissions; if the user belongs to that group, but is not explicitly configured for the site, the check still returns unauthorized... - Michal B.

1 Answers

3
votes

I had the same problem as yours. I was passing username in format "domain\username" but it was returning all permissions as false. Finally I realized that I was using Claims based authentication for SharePoint. I changed username to claims format "i:0#.w|domain\username" and it started working perfectly after that. Hope this helps.

Here is a sample working code - 

    var spContext = SharePointContextProvider.Current.GetSharePointContext(Context);

    using (var clientContext = spContext.CreateUserClientContextForSPHost())
    {

        string userName = @"i:0#.w|domain\username";

        var userPermissions = clientContext.Web.GetUserEffectivePermissions(userName);
        clientContext.ExecuteQuery();

        foreach (var permission in Enum.GetValues(typeof(PermissionKind)).Cast<PermissionKind>())
        {
            var permissionName = Enum.GetName(typeof(PermissionKind), permission);
            var hasPermission = userPermissions.Value.Has(permission);
            Response.Write(String.Format("<br>Permission: {0}, HasPermission: {1}", permissionName, hasPermission));
        }


}

Source - http://tech-turf.blogspot.in/2015/12/sharepoint-2013-getusereffectivepermiss.html