Wednesday, January 21, 2009

Sunday, October 19, 2008

The blog has moved!

I've moved my blog to my own hosting and plan to be posting more often on my new site.

Please check it out at:

Wednesday, August 27, 2008

SharePoint Permission Strings

SharePoint uses permission or rights strings in numerous places including setting permissions for Custom Actions in your feature XML. A colleague asked this question recently and I had to lookup the answer so I decided I would post for my own reference.

AddAndCustomizePages Add, change, or delete HTML pages or Web Part Pages, and edit the Web site using a Windows SharePoint Services–compatible editor.
AddDelPrivateWebParts Add or remove personal Web Parts on a Web Part Page.
AddListItems Add items to lists, add documents to document libraries, and add Web discussion comments.
ApplyStyleSheets Apply a style sheet (.css file) to the Web site.
ApplyThemeAndBorder Apply a theme or borders to the entire Web site.
ApproveItems Approve a minor version of a list item or document.
BrowseDirectoriesEnumerate files and folders in a Web site using Microsoft Office SharePoint Designer 2007 and WebDAV interfaces.
BrowseUserInfo View information about users of the Web site.
CancelCheckout Discard or check in a document which is checked out to another user.
CreateAlerts Create e-mail alerts.
CreateGroups Create a group of users that can be used anywhere within the site collection.
CreateSSCSite Create a Web site using Self-Service Site Creation.
DeleteListItems Delete items from a list, documents from a document library, and Web discussion comments in documents.
DeleteVersions Delete past versions of a list item or document.
EditListItems Edit items in lists, edit documents in document libraries, edit Web discussion comments in documents, and customize Web Part Pages in document libraries.
EditMyUserInfo Allows a user to change his or her user information, such as adding a picture.
EmptyMask Has no permissions on the Web site. Not available through the user interface.
EnumeratePermissions Enumerate permissions on the Web site, list, folder, document, or list item.
FullMask Has all permissions on the Web site. Not available through the user interface.
ManageAlerts Manage alerts for all users of the Web site.
ManageLists Create and delete lists, add or remove columns in a list, and add or remove public views of a list.
ManagePermissions Create and change permission levels on the Web site and assign permissions to users and groups.
ManagePersonalViews Create, change, and delete personal views of lists.
ManageSubwebs Create subsites such as team sites, Meeting Workspace sites, and Document Workspace sites.
ManageWeb Grant the ability to perform all administration tasks for the Web site as well as manage content. Activate, deactivate, or edit properties of Web site scoped Features through the object model or through the user interface (UI). When granted on the root Web site of a site collection, activate, deactivate, or edit properties of site collection scoped Features through the object model. To browse to the Site Collection Features page and activate or deactivate site collection scoped Features through the UI, you must be a site collection administrator.
Open Allow users to open a Web site, list, or folder to access items inside that container.
OpenItems View the source of documents with server-side file handlers.
UpdatePersonalWebParts Update Web Parts to display personalized information.
UseClientIntegration Use features that launch client applications; otherwise, users must work on documents locally and upload changes.
UseRemoteAPIs Use SOAP, WebDAV, or Microsoft Office SharePoint Designer 2007 interfaces to access the Web site.
ViewFormPages View forms, views, and application pages, and enumerate lists.
ViewListItems View items in lists, documents in document libraries, and view Web discussion comments.
ViewPages View pages in a Web site.
ViewUsageData View reports on Web site usage.
ViewVersions View past versions of a list item or document.


Monday, July 21, 2008

Properly Populating and Retrieving SharePoint Field Data

SharePoint uses a lot of field types that have different underlying schemas, delimiters and formats. I see a lot of people reverse engineer the field information and "hack" the data into the list using a string such as "1;#Title" for a lookup field. Well this isn't exactly best practice so I've put together a reference table below to assist in using the correct data types for populating or retrieving information from a SharePoint list.

Lookup Field

Field Class: SPFieldLookup
Field Value Class: SPFieldLookupValue

Populating Information:

item["FieldName"] = new SPFieldLookupValue("Title"); // SharePoint will do the lookup as long as the LookupValue's are unique
item["FieldName"] = new SPFieldLookupValue(1, "Title");

Retrieving Information:

SPFieldLookupValue itemValue = item["FieldName"] as SPFieldLookupValue;
int id = itemValue.LookupId;
string value = itemValue.LookupValue;

Multiple Lookup Field

Field Class: SPFieldLookup
Field Value Class: SPFieldLookupValueCollection

Populating Information:

SPFieldLookupValueCollection itemValues = SPFieldLookupValueCollection();
itemValues.Add(new SPFieldLookupValue(1, "Title"));
item["FieldName"] = itemValues;

Retrieving Information:

SPFieldLookupValueCollection itemValues = item["FieldName"] as SPFieldLookupValueCollection;
foreach (SPFieldLookupValue itemValue in itemValues)
int id = itemValue.LookupId;
string value = itemValue.LookupValue;

User Field

Field Class: SPFieldUser
Field Value Class: SPFieldUserValue

Populating Information:

SPUser user = web.AllUsers[@"domain\username"];
item["FieldName"] = user;

Retrieving Information:

string currentValue = item["FieldName"].ToString();
SPFieldUser userField = list.Fields.GetFieldByInternalName("FieldName");
SPFieldUserValue itemValue = (SPFieldUserValue)userField.GetFieldValue(currentValue);
SPUser user = itemValue.User;

URL Field

Field Class: SPFieldUrl
Field Value Class: SPFieldUrlValue

Populating Information:

SPFieldUrlValue urlValue = new SPFieldUrlValue();
urlValue.Url = "";
urlValue.Description = "Google";
item["FieldName"] = urlValue;

Retrieving Information:

SPFieldUrlValue urlValue = new SPFieldUrlValue(item["FieldName"].ToString());
string url = urlValue.Url;
string description = urlValue.Description;

Multiple Choice Field

Field Class: SPFieldMultiChoice
Field Value Class: SPFieldMultiChoiceValue

Populating Information:

SPFieldMultiChoiceValue itemValue = new SPFieldMultiChoiceValue();
itemValue.Add("Choice 1");
itemValue.Add("Choice 2");
itemValue.Add("Choice 3");
item["FieldName"] = itemValue;

Retrieving Information:

SPFieldMultiChoiceValue itemValue = new SPFieldMultiChoiceValue(item["FieldName"].ToString());
foreach (string choice in itemValue)
// value is in choice

Thursday, June 26, 2008

Creating MySites Programmatically

Instead of asking every user to click on "My Site" and have the site provisioned for them it's sometimes nice to already have the site created... or create it as part of the Employee Intake process. This is especially true if the My Site plays a role in a custom application as it did for one of my clients.

Here's a snippet to get you started:

using (SPSite site = new SPSite(url))
UserProfileManager profileManger = new UserProfileManager(ServerContext.GetContext(site));
UserProfile profile = profileManger.GetUserProfile(@"domain\user");

However, I kept getting the following error message:
You do not have access to create this personal site.

Now.. I'm an admin on the box and within SharePoint but it turns out you will see this error if your user does not have access to Shared Services. You'll either need to impersonate a higher user using SPSecurity or, in my case, simply right click on your command line application and choose "Run as..." and enter the credentials for your Shared Services administrator.

Thursday, June 12, 2008

Denying User Access At The Site Level

It's a pretty well known fact that SharePoint cannot deny access for a user below the Web Application level as shown in the screenshot below. Sadly there will be no code samples for this one as it's pretty proprietary stuff.

Well, one of my clients had this exact problem. Except that the answer "Sorry, SharePoint doesn't do that." didn't solve the underlying business problem. Here is a scenario and the provided "Out-Of-The-Box Solution".
  1. Users are given access to a site through a single group "SharePoint Users".
  2. This "SharePoint Users" group is used throughout the rest of the site collection so simply modifying it is not an option.
  3. John Doe is a member of this "SharePoint Users" group but because of an "Ethical Wall" (Law Firm jargon for blocking one lawyer from seeing another lawyers documents) John Doe cannot have access to this site.
After talking with a Microsoft Employee at a training session the recommended approach is to either create smaller groups... ie: "SharePoint Users" and "SharePoint Users Without John" and to maintain these at the site collection level or to simply remove the "SharePoint Users" group from the site and add all your users directly.

We chose to do the latter in an automated fashion. What we ended up with is as follows.
  1. A custom SQL table that holds the list of people that should be denied access to a particular site.
  2. A Timer Job that constantly ensures that those people are actually denied.
  3. A configuration panel in Central Administration to maintain which web applications are using the functionality and to hold configuration options.
  4. A data input panel built into each SharePoint site to allow administrators to deny users and to view who is currently denied.
The bulk of the code exists in the Timer Job. The Timer Job is responsible for breaking the inheritance, looping through all of the current security, removing groups and readding users with the proper security, and finally removing all the denied users.

This solution has the following pluses
  • Will loop through both SharePoint Groups and AD Groups no matter how complicated the nested group structure is
  • Makes a manual process somewhat automated to ensure less user error
  • Although it creates an administrative problem for adding new users (users will not have acecss when they should) it does protect against the more dangerous scenario (a user does have access when they shouldn't)

Wednesday, June 11, 2008

Hiding Empty Publishing Fields in a Page Layout

Most of the time when you're rendering web content that content will exist in a container or have a header or a footer, etc. If you're rendering an HTML publishing field within SharePoint the user could have simply left the field blank (unless you make the field required of course). In this case you probably don't want to render the container/header/footer if there isn't going to be any content. So let's get down to business...

First you have you're normal code

<h3>Publishing Header</h3>
<publishingwebcontrols:richhtmlfield id="PublishingContent1" fieldname="PublishingContent" runat="server"></publishingwebcontrols:richhtmlfield>

This is fine but we don't want "Publishing Header" showing if there is no content in the field. So what do we do? First drop the following code at the beginning of the "PlaceHolderMain" in your custom page layout.

<script runat="server">

public static bool FieldHasValue(SPListItem item, string fieldName)
if (item.Fields.ContainsField(fieldName) && item[fieldName] != null)
string html = item[fieldName].ToString();
Regex regex = new Regex(@"\s]+))?)+\s*|\s*)/?>", RegexOptions.Singleline);
MatchCollection matches = regex.Matches(html);
foreach (Match match in matches)
html = html.Replace(match.Value, "");

html = html.Replace("\n", "").Trim();
return (html.Length > 0);

return false;


Now we just have to use some inline ASP to check the field before we do our rendering.


if (FieldHasValue(item, "PublishingContent"))
Response.Write("<h3>Publishing Header</h3>");


<publishingwebcontrols:richhtmlfield id="PublishingContent1" fieldname="PublishingContent" runat="server"></publishingwebcontrols:richhtmlfield>