The blog has moved!

I've moved my blog to my own hosting and plan to be posting more often on my new site.

Please check it out at:
http://corypeters.net

SharePoint Permission Strings

SharePoint uses permission or rights strings in numerous places including setting permissions for Custom Actions in your feature XML. A colleague asked this question recently and I had to lookup the answer so I decided I would post for my own reference.

AddAndCustomizePages	Add, change, or delete HTML pages or Web Part Pages, and edit the Web site using a Windows SharePoint Services–compatible editor.
AddDelPrivateWebParts	Add or remove personal Web Parts on a Web Part Page.
AddListItems	Add items to lists, add documents to document libraries, and add Web discussion comments.
ApplyStyleSheets	Apply a style sheet (.css file) to the Web site.
ApplyThemeAndBorder	Apply a theme or borders to the entire Web site.
ApproveItems	Approve a minor version of a list item or document.
BrowseDirectories	Enumerate files and folders in a Web site using Microsoft Office SharePoint Designer 2007 and WebDAV interfaces.
BrowseUserInfo	View information about users of the Web site.
CancelCheckout	Discard or check in a document which is checked out to another user.
CreateAlerts	Create e-mail alerts.
CreateGroups	Create a group of users that can be used anywhere within the site collection.
CreateSSCSite	Create a Web site using Self-Service Site Creation.
DeleteListItems	Delete items from a list, documents from a document library, and Web discussion comments in documents.
DeleteVersions	Delete past versions of a list item or document.
EditListItems	Edit items in lists, edit documents in document libraries, edit Web discussion comments in documents, and customize Web Part Pages in document libraries.
EditMyUserInfo	Allows a user to change his or her user information, such as adding a picture.
EmptyMask	Has no permissions on the Web site. Not available through the user interface.
EnumeratePermissions	Enumerate permissions on the Web site, list, folder, document, or list item.
FullMask	Has all permissions on the Web site. Not available through the user interface.
ManageAlerts	Manage alerts for all users of the Web site.
ManageLists	Create and delete lists, add or remove columns in a list, and add or remove public views of a list.
ManagePermissions	Create and change permission levels on the Web site and assign permissions to users and groups.
ManagePersonalViews	Create, change, and delete personal views of lists.
ManageSubwebs	Create subsites such as team sites, Meeting Workspace sites, and Document Workspace sites.
ManageWeb	Grant the ability to perform all administration tasks for the Web site as well as manage content. Activate, deactivate, or edit properties of Web site scoped Features through the object model or through the user interface (UI). When granted on the root Web site of a site collection, activate, deactivate, or edit properties of site collection scoped Features through the object model. To browse to the Site Collection Features page and activate or deactivate site collection scoped Features through the UI, you must be a site collection administrator.
Open	Allow users to open a Web site, list, or folder to access items inside that container.
OpenItems	View the source of documents with server-side file handlers.
UpdatePersonalWebParts	Update Web Parts to display personalized information.
UseClientIntegration	Use features that launch client applications; otherwise, users must work on documents locally and upload changes.
UseRemoteAPIs	Use SOAP, WebDAV, or Microsoft Office SharePoint Designer 2007 interfaces to access the Web site.
ViewFormPages	View forms, views, and application pages, and enumerate lists.
ViewListItems	View items in lists, documents in document libraries, and view Web discussion comments.
ViewPages	View pages in a Web site.
ViewUsageData	View reports on Web site usage.
ViewVersions	View past versions of a list item or document.

Source

Properly Populating and Retrieving SharePoint Field Data

SharePoint uses a lot of field types that have different underlying schemas, delimiters and formats. I see a lot of people reverse engineer the field information and "hack" the data into the list using a string such as "1;#Title" for a lookup field. Well this isn't exactly best practice so I've put together a reference table below to assist in using the correct data types for populating or retrieving information from a SharePoint list.

Lookup Field

Field Class: SPFieldLookup
Field Value Class: SPFieldLookupValue

Populating Information:

item["FieldName"] = new SPFieldLookupValue("Title"); // SharePoint will do the lookup as long as the LookupValue's are unique
item.Update();
or
item["FieldName"] = new SPFieldLookupValue(1, "Title");
item.Update();

Retrieving Information:

SPFieldLookupValue itemValue = item["FieldName"] as SPFieldLookupValue;
int id = itemValue.LookupId;
string value = itemValue.LookupValue;


Multiple Lookup Field

Field Class: SPFieldLookup
Field Value Class: SPFieldLookupValueCollection

Populating Information:

SPFieldLookupValueCollection itemValues = SPFieldLookupValueCollection();
itemValues.Add(new SPFieldLookupValue(1, "Title"));
item["FieldName"] = itemValues;
item.Update();

Retrieving Information:

SPFieldLookupValueCollection itemValues = item["FieldName"] as SPFieldLookupValueCollection;
foreach (SPFieldLookupValue itemValue in itemValues)
{
int id = itemValue.LookupId;
string value = itemValue.LookupValue;
}


User Field

Field Class: SPFieldUser
Field Value Class: SPFieldUserValue

Populating Information:

web.EnsureUser(@"domain\username");
SPUser user = web.AllUsers[@"domain\username"];
item["FieldName"] = user;
item.Update();

Retrieving Information:

string currentValue = item["FieldName"].ToString();
SPFieldUser userField = list.Fields.GetFieldByInternalName("FieldName");
SPFieldUserValue itemValue = (SPFieldUserValue)userField.GetFieldValue(currentValue);
SPUser user = itemValue.User;


URL Field

Field Class: SPFieldUrl
Field Value Class: SPFieldUrlValue

Populating Information:

SPFieldUrlValue urlValue = new SPFieldUrlValue();
urlValue.Url = "http://www.google.com";
urlValue.Description = "Google";
item["FieldName"] = urlValue;
item.Update();

Retrieving Information:

SPFieldUrlValue urlValue = new SPFieldUrlValue(item["FieldName"].ToString());
string url = urlValue.Url;
string description = urlValue.Description;


Multiple Choice Field

Field Class: SPFieldMultiChoice
Field Value Class: SPFieldMultiChoiceValue

Populating Information:

SPFieldMultiChoiceValue itemValue = new SPFieldMultiChoiceValue();
itemValue.Add("Choice 1");
itemValue.Add("Choice 2");
itemValue.Add("Choice 3");
item["FieldName"] = itemValue;
item.Update();

Retrieving Information:

SPFieldMultiChoiceValue itemValue = new SPFieldMultiChoiceValue(item["FieldName"].ToString());
foreach (string choice in itemValue)
{
// value is in choice
}


Creating MySites Programmatically

Instead of asking every user to click on "My Site" and have the site provisioned for them it's sometimes nice to already have the site created... or create it as part of the Employee Intake process. This is especially true if the My Site plays a role in a custom application as it did for one of my clients.

Here's a snippet to get you started:


using (SPSite site = new SPSite(url))
{
UserProfileManager profileManger = new UserProfileManager(ServerContext.GetContext(site));
UserProfile profile = profileManger.GetUserProfile(@"domain\user");
profile.CreatePersonalSite();
}


However, I kept getting the following error message:
You do not have access to create this personal site.

Now.. I'm an admin on the box and within SharePoint but it turns out you will see this error if your user does not have access to Shared Services. You'll either need to impersonate a higher user using SPSecurity or, in my case, simply right click on your command line application and choose "Run as..." and enter the credentials for your Shared Services administrator.

Denying User Access At The Site Level

It's a pretty well known fact that SharePoint cannot deny access for a user below the Web Application level as shown in the screenshot below. Sadly there will be no code samples for this one as it's pretty proprietary stuff.



Well, one of my clients had this exact problem. Except that the answer "Sorry, SharePoint doesn't do that." didn't solve the underlying business problem. Here is a scenario and the provided "Out-Of-The-Box Solution".

1. Users are given access to a site through a single group "SharePoint Users".
2. This "SharePoint Users" group is used throughout the rest of the site collection so simply modifying it is not an option.
   
3. John Doe is a member of this "SharePoint Users" group but because of an "Ethical Wall" (Law Firm jargon for blocking one lawyer from seeing another lawyers documents) John Doe cannot have access to this site.

After talking with a Microsoft Employee at a training session the recommended approach is to either create smaller groups... ie: "SharePoint Users" and "SharePoint Users Without John" and to maintain these at the site collection level or to simply remove the "SharePoint Users" group from the site and add all your users directly.

We chose to do the latter in an automated fashion. What we ended up with is as follows.

1. A custom SQL table that holds the list of people that should be denied access to a particular site.
2. A Timer Job that constantly ensures that those people are actually denied.
3. A configuration panel in Central Administration to maintain which web applications are using the functionality and to hold configuration options.
4. A data input panel built into each SharePoint site to allow administrators to deny users and to view who is currently denied.

The bulk of the code exists in the Timer Job. The Timer Job is responsible for breaking the inheritance, looping through all of the current security, removing groups and readding users with the proper security, and finally removing all the denied users.

This solution has the following pluses

• Will loop through both SharePoint Groups and AD Groups no matter how complicated the nested group structure is
• Makes a manual process somewhat automated to ensure less user error
• Although it creates an administrative problem for adding new users (users will not have acecss when they should) it does protect against the more dangerous scenario (a user does have access when they shouldn't)
  

Hiding Empty Publishing Fields in a Page Layout

Most of the time when you're rendering web content that content will exist in a container or have a header or a footer, etc. If you're rendering an HTML publishing field within SharePoint the user could have simply left the field blank (unless you make the field required of course). In this case you probably don't want to render the container/header/footer if there isn't going to be any content. So let's get down to business...

First you have you're normal code


<h3>Publishing Header</h3>
<publishingwebcontrols:richhtmlfield id="PublishingContent1" fieldname="PublishingContent" runat="server"></publishingwebcontrols:richhtmlfield>


This is fine but we don't want "Publishing Header" showing if there is no content in the field. So what do we do? First drop the following code at the beginning of the "PlaceHolderMain" in your custom page layout.

<script runat="server">

public static bool FieldHasValue(SPListItem item, string fieldName)
{
if (item.Fields.ContainsField(fieldName) && item[fieldName] != null)
{
string html = item[fieldName].ToString();
Regex regex = new Regex(@"\s]+))?)+\s*|\s*)/?>", RegexOptions.Singleline);
MatchCollection matches = regex.Matches(html);
foreach (Match match in matches)
{
html = html.Replace(match.Value, "");
}

html = html.Replace("\n", "").Trim();
return (html.Length > 0);
}

return false;
}

</script>

Now we just have to use some inline ASP to check the field before we do our rendering.

<%

if (FieldHasValue(item, "PublishingContent"))
Response.Write("<h3>Publishing Header</h3>");

%>

<publishingwebcontrols:richhtmlfield id="PublishingContent1" fieldname="PublishingContent" runat="server"></publishingwebcontrols:richhtmlfield>