none
Issue in creating itemupdated event handler and applying permissions for Person or Group Entities RRS feed

  • Question

  • Am having a item event receiver wherein i need to set the item level permissions for 3 objects : 

    say for a   doc lib column called Reviewers , i need to set the Contribute permission , and  another doc lib column called "Approvers"

    would be having the Contribute permission and there is a group called NPHSTB , they would be having the Read permissions only.

    And the author who created the doc would be having the ContributeNoDelete permissions,

    i wrote the code , but am getting the error spprincipal by id [ 38] .

    the line it throws is 

    "

    SPRoleAssignment currentUserRole = myRootWeb.RoleAssignments.GetAssignmentByPrincipal(userIDObj);

    "

      
    public void AddItemLevelAccess(SPFieldUserValue userName, string access, SPItemEventProperties properties)
            {
                bool hasPermission = false;
                try
                {
                    SPSite CurrentSite = new SPSite(properties.SiteId); //Retrieve Current Site
                    SPWeb CurrentWeb = CurrentSite.OpenWeb(properties.RelativeWebUrl); //Retrieve Web URL
                    SPListItem CurrentListItem;//object of current list item
                    SPWeb myRootWeb = CurrentSite.RootWeb;//instance of web
                    CurrentListItem = CurrentWeb.Lists[properties.ListId].GetItemById(properties.ListItem.ID);//instance of current list item
                    var strExistingPermissions = "";// Declare empty string for removing existing permission of user
                    SPRoleDefinitionCollection webroledefinitions = myRootWeb.RoleDefinitions;  //role defination
                    SPUser userObj = userName.User;
                    var userID = userObj.ID;
                    SPUser userIDObj = myRootWeb.SiteUsers.GetByID(userID);
    
                    hasPermission = CurrentListItem.DoesUserHavePermissions(SPBasePermissions.)
    
                    SPRoleAssignment currentUserRole = myRootWeb.RoleAssignments.GetAssignmentByPrincipal(userIDObj);
                    foreach (SPRoleDefinition role in currentUserRole.RoleDefinitionBindings)   //remove existing permissions on particular list item
                    {
                        strExistingPermissions += role.Name + ", ";
                        CurrentListItem.RoleAssignments.RemoveById(userID);
                    }
                    SPRoleAssignment roleAssignment = new SPRoleAssignment(userIDObj); //assigning new permission
                    roleAssignment.RoleDefinitionBindings.Add(webroledefinitions[access]);
                    CurrentListItem.RoleAssignments.Add(roleAssignment);
                }
                catch (Exception expItemLevelAccess)
                {
                    NPDLogger.WriteLog(NPDLogger.Category.High, NPDErrorMessages.AddItemLevelAccess, expItemLevelAccess.StackTrace + "__" + expItemLevelAccess.Message);
                    throw;
                }
    
            }

    all in all i need to achieve thebelow

    1.  Author should get contributenodelete
    2.  reviewers column should get the contribute
    3.  approvers column value should get contribute
    4.  nphstb group should get read access

    • Edited by SaMolPP Monday, December 19, 2016 2:52 PM
    Monday, December 19, 2016 2:34 PM

All replies

  • in this code:

    SPRoleAssignment currentUserRole = myRootWeb.RoleAssignments.GetAssignmentByPrincipal(userIDObj);
    foreach (SPRoleDefinition role in currentUserRole.RoleDefinitionBindings)   //remove existing permissions on particular list item
    {
        strExistingPermissions += role.Name + ", ";
        CurrentListItem.RoleAssignments.RemoveById(userID);
    }

    you try to manipulate with role assignments of the current user. But instead you need to need to work with role assignments of the item for which you need to change permissions. Idea is the following:

    1. you get reference on current list item
    2. break role inheritance without copying permissions from parent list (BreakRoleInheritance(false)). After that no users will have access to the list item (except site collection admins which they have access to all items regardless of unique permissions)
    3. assign permissions to the item to correct users. For this step you can check e.g. this post: Assign Permissions Programmatically to SharePoint List Folder or item.


    Blog - http://sadomovalex.blogspot.com
    Dynamic CAML queries via C# - http://camlex.codeplex.com

    Monday, December 19, 2016 3:28 PM
  • Thank  your help . am changing my code based on the item.

    but one issue i may face is :

     2. break role inheritance without copying permissions from parent list (BreakRoleInheritance(false)). After that no users will have access to the list item (except site collection admins which they have access to all items regardless of unique permissions)
    3. assign permissions to the item to correct users.

    2) --> point what i heard and read is if we apply item level permissions , even site collec. admins wont be able to access/read /view on the doc libs or lists. Item level permissions will take the highest precedence thats on above all of the other permissions.

    now, as per my requirement . i would like to achieve the 3 spuser entiites getting the appropriate permissions and the permissions of existing groups should not be touched.

    thats why am stuck with. 

     
    Tuesday, December 20, 2016 6:02 AM
  • Hi,

    Please try to add your code into the SPSecurity.RunWithElevatedPrivileges.

    SPSecurity.RunWithElevatedPrivileges(delegate()
    {
        using (SPSite site = new SPSite(web.Site.ID))
        {
        // implementation details omitted
        }
    });

    http://sharepointquicksolutions.blogspot.sg/2012/11/all-ways-of-runwithelevatedprivileges.html

    Or check the similar thread as below:

    http://sharepoint.stackexchange.com/questions/172496/issues-with-spprincipals-on-sp2013

    Best Regards,

    Dennis


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, December 20, 2016 6:43 AM
    Moderator
  • Hi

      1) Create a Permission level that allow only to create not to delete, 2) make BreakRoleInheritance(false). 3) then set the permission of the item according to the list above

    thanks

    Tuesday, December 20, 2016 9:49 AM
  • I already created the contributenodelete permission level and available in the site collec.

    Tuesday, December 20, 2016 10:11 AM