我正在尝试找到一种方法,以获取有权访问继承中断的文件夹或文件的AD用户和AD组的列表。我不需要知道如何找到继承断开的部分,我已经了解了这一部分,但是在查找每个具有访问权限的用户或组时遇到了问题。我不想看到AD组中有哪些用户,只想看到正在访问文件夹的组的名称。这背后的用例是我们不希望将安全文件夹共享给单个用户。所有这些都只能由AD组控制(网站所有者无权将用户添加到安全文件夹)。还需要找出该文件夹中是否有任何文件不继承自该文件夹,并且也共享给各个用户而不是AD组(希望这是有道理的)。这是我到目前为止的内容,并且在一定程度上可以奏效,
到目前为止,这是我已经编写的代码。它接受文件或文件夹的item对象以及对字符串的引用。它扫描访问,然后构建用分号分隔的用户列表,如果spuser对象之一是用户而不是组,则返回true:
/// <summary>
/// Provides list of users\groups that have access to a List Item.
/// </summary>
/// <param name="spListItem">Item to check access of</param>
/// <returns>semi colon delimited list of users\groups with access in a referenced list and boolean value indicating if a direct user exists</returns>
public bool GetListItemUserAccess(SPListItem spListItem, ref string accountsWithAccess)
{
//string accountsWithAccess = string.Empty;
bool IsFirstIteration = true;
bool domainUserExits = false;
SPRoleAssignmentCollection spItemRoles = spListItem.RoleAssignments;
SPRoleDefinitionCollection rolesInWeb = spListItem.Web.RoleDefinitions;
foreach(SPRoleAssignment spRole in spItemRoles)
{
SPPrincipal spPrincipal = spRole.Member;
//cast as SPGroup or SPUser to determine if is a SPGroup or User
if((spPrincipal as SPGroup) != null)
{
SPGroup spGroup = spPrincipal as SPGroup;
SPUserCollection usersInGroup = spGroup.Users;
//report on each user in group
foreach(SPUser spUser in usersInGroup)
{
//check to see if it is a user group
if(!spUser.IsDomainGroup)
{
domainUserExits = true;
}
//add to list for report.
if(IsFirstIteration)
{
IsFirstIteration = false;
}
else
{
accountsWithAccess += ";";
}
//depending on the account type sometimes the Login name has the credentials and sometimes it has
//a UID
if (spUser.LoginName.ToLower().Contains("<company name>"))
{
accountsWithAccess += this.ParseUserIDFromClaim(spUser.LoginName);
}
else
{
accountsWithAccess += this.ParseUserIDFromClaim(spUser.Name);
}
}
}
else if((spPrincipal as SPUser) != null)
{
//check to see if the user has limited access only (we don't report on this as this occurs when user has access to something in site)
if(!spListItem.DoesUserHavePermissions(spPrincipal as SPUser, SPBasePermissions.ViewListItems))
{
continue;
}
//check to see if it is a user group
if (!(spPrincipal as SPUser).IsDomainGroup)
{
domainUserExits = true;
}
//add to list for report.
if(IsFirstIteration)
{
IsFirstIteration = false;
}
else
{
accountsWithAccess += ";";
}
//depending on the account type sometimes the Login name has the credentials and sometimes it has
//a UID
if (spPrincipal.LoginName.ToLower().Contains("<company name>"))
{
accountsWithAccess += this.ParseUserIDFromClaim(spPrincipal.LoginName);
}
else
{
accountsWithAccess += this.ParseUserIDFromClaim(spPrincipal.Name);
}
}
}
return domainUserExits;
}
因此,问题在于该代码既返回了有权访问该文件夹的用户或用户组,又返回了对该项目具有有限访问权限的其他用户,因为他们可以访问该站点中的其他位置。
我终于通过插入以下代码纠正了该问题:
if (spRole.RoleDefinitionBindings.Count > 1 || !spRole.RoleDefinitionBindings.Xml.ToString().Contains("Limited Access"))
{
//Process accounts
}
这样做是如果用户为列表项绑定了多个角色,或者该用户不是“受限访问”,则它将处理该帐户。否则,实际上是这些“幻像访问”之一没有直接授予列表项的访问权限
本文收集自互联网,转载请注明来源。
如有侵权,请联系[email protected] 删除。
我来说两句