Enable Client Integration – User permissions for Web Application – Caution
Posted by kusek on June 26, 2009
First a little background. We all know that SharePoint by default comes with the some pre-defined permission levels. Represented by class RoleDefinitions in Object model. You can browse through the following URL
and find the set of permission level your site has.
In addition to the above permission level you have an option of creating a new Permission Level (RoleDefinition) as per your needs. This doesn’t stop there; we have an option to restrict the permissions that can be used in the Web Application. Well what it means is, Say for Example if you don’t want any user (ANY USER yes I mean it Site Collection Administrator as well) of site to delete or Manage Web, but wait how can I prevent Site Collection Administrator from deleting the site, s/he is a big guy he got all power to do all s/he wants in a Site Collection. That’s true but there is another real big guy Farm Administrator. If he decides not to allow Site Delete for a Web Application he can do so by just un-checking the to Manage Web Site permission in the User Permissions for Web Application page http://Central AdminSite/_admin/vsmask.aspx. With this background we can see what gets interesting.
Say you have a Code in your application that check to see if the user has Contributor right in a web, as below
Code Block # 1
using (SPSite oSite = new SPSite(
using (SPWeb oWeb = oSite.RootWeb)
Above code will work fine until our real big guy Farm Administrator comes in, now he decides to revoke the Delete Permission from the Web Application. Now above code will start to break, it will keep returning false as the Contributor Role definition was built with the Delete Permission with it, and as it has been removed by the Farm Administrator, your EffectivePermission will not match the RoleDefinition of Contributor. Below statement will not be true.
Code Block # 2
Okay how do I fix it, just go to your permission Level page, edit the Contribute permission level do nothing, just save it. Now the absence of the delete permission has been informed to RoleDefinition
Contribute and your code will start working.
But still I got more interesting information for you; in SPBasePermission enum out of 33 Permission we have a value called SPBasePermissions.UseClientIntegration, Which launch client applications. Without this permission, users will have to work on documents locally and upload their changes. Like any permission you can disable this at the User Permissions for Web Application page of central admin. But there is another place where you can disable this as well, yes that is at the Authentication Provider page. Select authentication provider and end of the page say no to Enable Client Integration? Well that was simple change but to find it we had real tough time. When you say no to Enable Client Integration?
What happens is that SPBasePermissions.UseClientIntegration will be removed from the permission but it will not get reflected in the UI both at the User Permissions for Web Application page and at the Permission Level page. With this state you will always get the Code Block # 1 executed to false. Because your EffectivePermission doesn’t include the SPBasePermissions.UseClientIntegration. So you need to manually remove this option from the RoleDefintion to make the code work.
Should I call it a bug, when it is really not there why should UI show that ????