{"id":97,"date":"2008-09-30T15:27:05","date_gmt":"2008-09-30T15:27:05","guid":{"rendered":"http:\/\/www.myfatblog.co.uk\/?p=97"},"modified":"2008-09-30T15:29:08","modified_gmt":"2008-09-30T15:29:08","slug":"a-question-of-authorisation","status":"publish","type":"post","link":"http:\/\/www.myfatblog.co.uk\/index.php\/2008\/09\/a-question-of-authorisation\/","title":{"rendered":"A question of authorisation.."},"content":{"rendered":"<p>I&#8217;m writing some custom application pages that run from the _Layouts directory. They&#8217;re triggered by items on the Edit Control Block menu.. (See the previous post from the other day on this option..)<\/p>\n<p>One of the things that has really come up with this is the question of authorisation, and confirming that the user does have the rights for what you&#8217;re attempting to do. For the work that I&#8217;m doing, this means checking those rights in two places.<\/p>\n<p>The first place is the Edit Control Block that we&#8217;re placing the menu option into. This is defined in your elements.xml as a <a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/ms460194.aspx\">CustomAction<\/a>. One of the useful features about custom actions, is that you have two elements available to hide them from inappropriate users.<\/p>\n<p>The first is the RequireSiteAdministrator element. This does exactly what it says on the tin, If the current context user is a Site Admin, they get the menu option, if not, they don&#8217;t.<\/p>\n<pre lang=\"XML\">RequireSiteAdministrator = \"TRUE\"<\/pre>\n<p>The second option is based on the SPBasePermissions enumeration and is a comma separated list of ALL the permissions that a user must have on a list item before the menu option is shown.<\/p>\n<pre lang=\"XML\">Rights=\"EditListItems,ApproveItems\"<\/pre>\n<p><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/microsoft.sharepoint.spbasepermissions.aspx\">Click here for more information on SPBasePermissions<\/a><\/p>\n<p>BUT.. And there is always a but&#8230; if your user knows the URL and the format of the query string, they can always type that in directly, so you must include a security wrapper in your application page.<\/p>\n<p>E.g.<\/p>\n<pre lang=\"Csharp\">\r\ntry\r\n{\r\n     if (sourceItem.DoesUserHavePermissions(SPBasePermissions.ApproveItems) && sourceItem.DoesUserHavePermissions(SPBasePermissions.EditListItems))\r\n     {\r\n\r\n         \/\/Do stuff\r\n\r\n     }\r\n     else\r\n     {\r\n        throw new SecurityException(\"You do not have the required rights for that operation.\");\r\n     }\r\n}\r\ncatch (SecurityException ex)\r\n{\r\n         SPUtility.HandleAccessDenied(ex);\r\n}\r\n<\/pre>\n<p>As you can see, we can place the authorisation failure into the try\/catch block, and just throw a SecurityException to call the redirect functionality from the SPUtility model. This presents the user with the familiar Access Denied page.<\/p>\n<p>Cheers<\/p>\n<p>Reg.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I&#8217;m writing some custom application pages that run from the _Layouts directory. They&#8217;re triggered by items on the Edit Control Block menu.. (See the previous post from the other day on this option..) One of the things that has really come up with this is the question of authorisation, and confirming that the user does &hellip; <\/p>\n<p><a class=\"more-link btn\" href=\"http:\/\/www.myfatblog.co.uk\/index.php\/2008\/09\/a-question-of-authorisation\/\">Continue reading<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"footnotes":""},"categories":[3,13,7,16,12],"tags":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.3 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>A question of authorisation.. - Blog of an overweight SharePoint addict<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"http:\/\/www.myfatblog.co.uk\/index.php\/2008\/09\/a-question-of-authorisation\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"A question of authorisation.. - Blog of an overweight SharePoint addict\" \/>\n<meta property=\"og:description\" content=\"I&#8217;m writing some custom application pages that run from the _Layouts directory. They&#8217;re triggered by items on the Edit Control Block menu.. (See the previous post from the other day on this option..) One of the things that has really come up with this is the question of authorisation, and confirming that the user does &hellip; Continue reading\" \/>\n<meta property=\"og:url\" content=\"http:\/\/www.myfatblog.co.uk\/index.php\/2008\/09\/a-question-of-authorisation\/\" \/>\n<meta property=\"og:site_name\" content=\"Blog of an overweight SharePoint addict\" \/>\n<meta property=\"article:published_time\" content=\"2008-09-30T15:27:05+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2008-09-30T15:29:08+00:00\" \/>\n<meta name=\"author\" content=\"Cimares\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@cimares\" \/>\n<meta name=\"twitter:site\" content=\"@cimares\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Cimares\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"http:\/\/www.myfatblog.co.uk\/index.php\/2008\/09\/a-question-of-authorisation\/\",\"url\":\"http:\/\/www.myfatblog.co.uk\/index.php\/2008\/09\/a-question-of-authorisation\/\",\"name\":\"A question of authorisation.. - Blog of an overweight SharePoint addict\",\"isPartOf\":{\"@id\":\"http:\/\/www.myfatblog.co.uk\/#website\"},\"datePublished\":\"2008-09-30T15:27:05+00:00\",\"dateModified\":\"2008-09-30T15:29:08+00:00\",\"author\":{\"@id\":\"http:\/\/www.myfatblog.co.uk\/#\/schema\/person\/55ae8f6885bb5b8390dad001f3da83c6\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"http:\/\/www.myfatblog.co.uk\/index.php\/2008\/09\/a-question-of-authorisation\/\"]}]},{\"@type\":\"WebSite\",\"@id\":\"http:\/\/www.myfatblog.co.uk\/#website\",\"url\":\"http:\/\/www.myfatblog.co.uk\/\",\"name\":\"Blog of an overweight SharePoint addict\",\"description\":\"The rantings of a (not so) food obsessed IT consultant!\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"http:\/\/www.myfatblog.co.uk\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"http:\/\/www.myfatblog.co.uk\/#\/schema\/person\/55ae8f6885bb5b8390dad001f3da83c6\",\"name\":\"Cimares\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"http:\/\/www.myfatblog.co.uk\/#\/schema\/person\/image\/\",\"url\":\"http:\/\/www.myfatblog.co.uk\/images\/BlogImages\/About_D057\/TopOfTheWorld.jpg\",\"contentUrl\":\"http:\/\/www.myfatblog.co.uk\/images\/BlogImages\/About_D057\/TopOfTheWorld.jpg\",\"caption\":\"Cimares\"},\"sameAs\":[\"http:\/\/www.myfatblog.co.uk\"],\"url\":\"http:\/\/www.myfatblog.co.uk\/index.php\/author\/reginald\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"A question of authorisation.. - Blog of an overweight SharePoint addict","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"http:\/\/www.myfatblog.co.uk\/index.php\/2008\/09\/a-question-of-authorisation\/","og_locale":"en_US","og_type":"article","og_title":"A question of authorisation.. - Blog of an overweight SharePoint addict","og_description":"I&#8217;m writing some custom application pages that run from the _Layouts directory. They&#8217;re triggered by items on the Edit Control Block menu.. (See the previous post from the other day on this option..) One of the things that has really come up with this is the question of authorisation, and confirming that the user does &hellip; Continue reading","og_url":"http:\/\/www.myfatblog.co.uk\/index.php\/2008\/09\/a-question-of-authorisation\/","og_site_name":"Blog of an overweight SharePoint addict","article_published_time":"2008-09-30T15:27:05+00:00","article_modified_time":"2008-09-30T15:29:08+00:00","author":"Cimares","twitter_card":"summary_large_image","twitter_creator":"@cimares","twitter_site":"@cimares","twitter_misc":{"Written by":"Cimares","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"http:\/\/www.myfatblog.co.uk\/index.php\/2008\/09\/a-question-of-authorisation\/","url":"http:\/\/www.myfatblog.co.uk\/index.php\/2008\/09\/a-question-of-authorisation\/","name":"A question of authorisation.. - Blog of an overweight SharePoint addict","isPartOf":{"@id":"http:\/\/www.myfatblog.co.uk\/#website"},"datePublished":"2008-09-30T15:27:05+00:00","dateModified":"2008-09-30T15:29:08+00:00","author":{"@id":"http:\/\/www.myfatblog.co.uk\/#\/schema\/person\/55ae8f6885bb5b8390dad001f3da83c6"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["http:\/\/www.myfatblog.co.uk\/index.php\/2008\/09\/a-question-of-authorisation\/"]}]},{"@type":"WebSite","@id":"http:\/\/www.myfatblog.co.uk\/#website","url":"http:\/\/www.myfatblog.co.uk\/","name":"Blog of an overweight SharePoint addict","description":"The rantings of a (not so) food obsessed IT consultant!","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"http:\/\/www.myfatblog.co.uk\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"http:\/\/www.myfatblog.co.uk\/#\/schema\/person\/55ae8f6885bb5b8390dad001f3da83c6","name":"Cimares","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"http:\/\/www.myfatblog.co.uk\/#\/schema\/person\/image\/","url":"http:\/\/www.myfatblog.co.uk\/images\/BlogImages\/About_D057\/TopOfTheWorld.jpg","contentUrl":"http:\/\/www.myfatblog.co.uk\/images\/BlogImages\/About_D057\/TopOfTheWorld.jpg","caption":"Cimares"},"sameAs":["http:\/\/www.myfatblog.co.uk"],"url":"http:\/\/www.myfatblog.co.uk\/index.php\/author\/reginald\/"}]}},"_links":{"self":[{"href":"http:\/\/www.myfatblog.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/97"}],"collection":[{"href":"http:\/\/www.myfatblog.co.uk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.myfatblog.co.uk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.myfatblog.co.uk\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/www.myfatblog.co.uk\/index.php\/wp-json\/wp\/v2\/comments?post=97"}],"version-history":[{"count":0,"href":"http:\/\/www.myfatblog.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/97\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.myfatblog.co.uk\/index.php\/wp-json\/wp\/v2\/media?parent=97"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.myfatblog.co.uk\/index.php\/wp-json\/wp\/v2\/categories?post=97"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.myfatblog.co.uk\/index.php\/wp-json\/wp\/v2\/tags?post=97"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}