SharePoint Dev Center >
Strange Access Denied error

Unanswered Strange Access Denied error

  • Thursday, March 22, 2012 10:05 AM
     
     
    Sign In to Vote
    0

    Hi All,

    I have a really strange security issue here and I'm not sure what the best way of resolving the issue is. I have a list into which data is imported using SPSecurity.RunWithElevatedPrivaledges 

    When I view the item then it shows up correctly that it has been Created By: System Account. I also have an event receiver on the list which breaks the permission inheritance (copying list permissions) and then assigns some additional permissions to the item.

    At some point in the future (and I'm still trying to pin down why) the permissions on the item changes.

    Now if I log in using the Web Application Pool account (so that it logs me in as System Admin) I can view the item - however when I try and update (or delete) the item then I get an Error: Access Denied - and some obscure COM reference (0x08...) which effectively also related to access denied being generated by the WSS object model.

    I understood that it was effectively not possible to remove all permissions from a list item  as the owner/creator would always have access to the item? 

    Next stage is to create a little test harness to ensure that what I am saying above can be replicated but I thought I'd throw it out there and see if anyone else had come across any similar issues?

    Thanks

    Adrian Williams
    http://www.tech-wales.co.uk

     

All Replies

  • Thursday, March 29, 2012 7:14 AM
     
     
    Sign In to Vote
    0

    Hi Adrian,

    Yes, we cannot remove all permissions from a list item, the pool account will always have permission to access to them.

    For the situation you described, I suggest go to the permissions management page of the item and then check the permissions of account that got access denied.

    Thanks,
    Simon

    Simon Huang

    TechNet Community Support

    • Marked As Answer by Shimin Huang Friday, March 30, 2012 6:32 AM
    • Unmarked As Answer by Adrian Williams Friday, March 30, 2012 8:20 AM
    •  
     
  • Friday, March 30, 2012 8:40 AM
     
     
    Sign In to Vote
    0

    Hi Simon,

    Thanks for your reply - That was my understanding too, however it is not what I am experiencing. If I log in as the application pool account (as shown below) then I cannot delete or edit the list item or view it's permissions (I can however view the item) either using the UI, Powershell or user-code that is running using the SPSecurity.RunWithElevatedPrivaleges.

    The image below is trying to "Manage Permissions" but the the standard "Error: Access Denied" message error is displayed if you try and delete or edit the item.

    For information I have currently experienced this on two separate Farms both running 2010 SP1 - one a single machine and one a load balanced cluster.

    Adrian

     
  • Friday, March 30, 2012 7:13 PM
     
     
    Sign In to Vote
    0
    What is the behavior if you utilize an account which has been granted full control on the application via User Policy in Central Administration.

    Rahul Gupta, MCPD - SharePoint 2010

     
  • Tuesday, April 03, 2012 2:35 PM
     
     
    Sign In to Vote
    0

    Hi Rahul,

          A really good suggestion - unfortunately no difference - still getting access denied error. I tried it with both the admin user and adding a new user and tried both "Full Control" and "Act as System Account" for the user but still no difference. I'm not convinced it's an actual access problem - rather it could be more likely a "I cannot determine the permissions on this item" error.

    Thanks for the suggestion though.

    Adrian

     
  • Thursday, April 12, 2012 10:58 AM
     
     
    Sign In to Vote
    0

    There is a solution for this problem. It seems that this error only occurs on lists with broken role inheritance. You must do the following:

    1) Reset the role inheritance on list level

    2) Break the role inheritance again on list level

    Now you should be able to manage the permissions of the list item or delete it, whatever you want.

    Note: Be aware that this also resets the custom permissions set on any list item within the list! But this seems to be the only valid solution to gain access to the "corrupted" list item.



    • Edited by Andreas Iseli Thursday, April 12, 2012 11:00 AM added note
    •  
     
  • Monday, April 16, 2012 9:30 AM
     
     
    Sign In to Vote
    0

    Hi Andreas,

    Thanks for your reply and suggestion. I tried this today which does appear to have reset the inheritance on all other list items (except this one with the corrupted permissions entry).

    The steps I performed were:-

    1. Go into List Permissions

    2. Click "Inherit Permissions"

    3. Click on "Stop Inheriting Permissions"

    4. I now have a message "Some Items of this list may have unique permissions which are not controlled from this page." When I click on the "Show me uniquely secured items of this list" then it shows only my single corrupted permission entry - which is still giving me access denied.

    This is driving me insane! :-)

    Thanks again for trying

    Adrian

     
  • Thursday, April 19, 2012 1:57 PM
     
     
    Sign In to Vote
    0

    Another Thread - Same Issue! Hello MSFT!

    http://social.msdn.microsoft.com/Forums/en/sharepoint2010general/thread/ff9113bb-086d-428a-a52a-9dced75c0714?prof=required


     
  • Friday, April 20, 2012 7:12 AM
     
     
    Sign In to Vote
    1


    ******** WARNING - ACCESSING SHAREPOINT DATABASE IS NOT SUPPORTED ************

    PLEASE NOTE THOUGH THAT ACCESSING THE SHAREPOINT DATABASE DIRECTLY IS NOT RECOMMENDED OR SUPPORTED - YOU HAVE BEEN WARNED!!!

    ******** WARNING - ACCESSING SHAREPOINT DATABASE IS NOT SUPPORTED ************

    Thanks to NecroSkillz for the pointer - http://social.technet.microsoft.com/profile/necroskillz/?ws=usercard-mini

    If you have this problem - and need to remove the offending list item then the instructions below will remove the item from SharePoint.

    Hope this helps someone... It looks like the original problem might be caused by multiple threads (SPRequest) trying to set permissions on the same object at the same time. Which may be a problem caused by using Async EventHandlers to set permissions - but I don't know that for certain.

    Adrian Williams
    http://www.tech-wales.co.uk


    In Powershell
    =============
    PS C:\Users\Administrator> $sc=Get-SPSite("http://sp2010:5000/mysitecollectionurl")
    PS C:\Users\Administrator> $sc.ID

    Guid
    ----
    9650c703-dcf3-4302-ac1f-6070a74cade6


    PS C:\Users\Administrator> $sc.RootWeb.ID

    Guid
    ----
    8989b9a5-0745-4fcc-a643-d9170e94f875


    PS C:\Users\Administrator> $sc.RootWeb.Lists["CustomListName"].ID

    Guid
    ----
    5e8fc749-e099-4f31-abe2-0f3d0b42325b


    PS C:\Users\Administrator> $sc.RootWeb.Lists["CustomListName"].SchemaXML > c:\foo.bar
    PS C:\Users\Administrator> notepad c:\foo.bar

    In Notepad
    ==========

    ...cc0" ServerTemplate="10011" Cre....

    In SharePoint
    =============
    Open your list item in a browser and look for "ID=28" in the URL

    In SQL Server - Run in your content database
    ============================================
    proc_droplistrecord
     @SiteId='9650c703-dcf3-4302-ac1f-6070a74cade6',
     @WebId='8989b9a5-0745-4fcc-a643-d9170e94f875',
     @ListId='5e8fc749-e099-4f31-abe2-0f3d0b42325b',
     @ServerTemplate=10011,
     @Id=28,
     @UserTitle=NULL