如何以编程方式获取有权访问SharePoint中文件或文件夹的用户和组的列表

时间:2015-07-17 23:19:49

标签: sharepoint sharepoint-2013

我正在尝试找到一种获取AD用户和AD组列表的方法,这些用户和AD组可以访问已经断开继承的文件夹或文件。我不需要知道如何找到继承被破坏,我已经得到了那个部分,但我遇到了找到每个有权访问的用户或组的问题。我不想看到AD组中的用户是什么,我只想查看正在访问该文件夹的组的名称。这背后的用例是我们不希望向单个用户共享安全文件夹。所有这些必须仅由AD组控制(站点所有者无权将用户添加到安全文件夹)。还需要确定文件夹中是否有任何文件没有从文件夹继承,并且还分享给各个用户而不是AD组(希望这是有道理的)。以下是我到目前为止所做的工作,但是由于某种原因,它返回的用户可以在其他地方访问该网站,而且访问权限受限的用户也必须在以后清理。

这是我到目前为止编写的代码。它接收文件或文件夹的item对象以及对字符串的引用。它扫描访问,然后构建由分号分隔的用户列表,如果其中一个spuser对象是用户而不是组,则返回true:

/// <summary>
    /// Provides list of users\groups that have access to a List Item.
    /// </summary>
    /// <param name="spListItem">Item to check access of</param>
    /// <returns>semi colon delimited list of users\groups with access in a referenced list and boolean value indicating if a direct user exists</returns>
    public bool GetListItemUserAccess(SPListItem spListItem, ref string accountsWithAccess)
    {
        //string accountsWithAccess = string.Empty;
        bool IsFirstIteration = true;
        bool domainUserExits = false;
        SPRoleAssignmentCollection spItemRoles = spListItem.RoleAssignments;    
        SPRoleDefinitionCollection rolesInWeb = spListItem.Web.RoleDefinitions;

        foreach(SPRoleAssignment spRole in spItemRoles)
        {

            SPPrincipal spPrincipal = spRole.Member;

            //cast as SPGroup or SPUser to determine if is a SPGroup or User
            if((spPrincipal as SPGroup) != null)
            {
                SPGroup spGroup = spPrincipal as SPGroup;
                SPUserCollection usersInGroup = spGroup.Users;

                //report on each user in group
                foreach(SPUser spUser in usersInGroup)
                {
                    //check to see if it is a user group
                    if(!spUser.IsDomainGroup)
                    {
                        domainUserExits = true;
                    }

                    //add to list for report.
                    if(IsFirstIteration)
                    {
                        IsFirstIteration = false;                            
                    }
                    else
                    {
                        accountsWithAccess += ";";                            
                    }

                    //depending on the account type sometimes the Login name has the credentials and sometimes it has 
                    //a UID
                    if (spUser.LoginName.ToLower().Contains("<company name>"))
                    {
                        accountsWithAccess += this.ParseUserIDFromClaim(spUser.LoginName);
                    }
                    else
                    {
                        accountsWithAccess += this.ParseUserIDFromClaim(spUser.Name);
                    }
                }
            }
            else if((spPrincipal as SPUser) != null)
            {
                //check to see if the user has limited access only (we don't report on this as this occurs when user has access to something in site)
                  if(!spListItem.DoesUserHavePermissions(spPrincipal as SPUser, SPBasePermissions.ViewListItems))
                {
                    continue;
                }

                //check to see if it is a user group
                if (!(spPrincipal as SPUser).IsDomainGroup)
                {
                    domainUserExits = true;
                }

                //add to list for report.
                if(IsFirstIteration)
                {
                    IsFirstIteration = false;
                }
                else
                {
                    accountsWithAccess += ";";
                }

                //depending on the account type sometimes the Login name has the credentials and sometimes it has 
                //a UID
                if (spPrincipal.LoginName.ToLower().Contains("<company name>"))
                {
                    accountsWithAccess += this.ParseUserIDFromClaim(spPrincipal.LoginName);
                }
                else
                {
                    accountsWithAccess += this.ParseUserIDFromClaim(spPrincipal.Name);
                }
            }
        }
        return domainUserExits;
    }

1 个答案:

答案 0 :(得分:0)

所以问题是代码返回有权访问该文件夹的用户或组,但它也返回对该项具有有限访问权限的其他用户,因为他们可以访问该站点中的其他位置。

我最后通过插入以下代码纠正了这个问题:

if (spRole.RoleDefinitionBindings.Count > 1 || !spRole.RoleDefinitionBindings.Xml.ToString().Contains("Limited Access"))

{
  //Process accounts
}

这样做的目的是,如果用户为列表项绑定了多个角色,或者他们拥有的角色不是受限访问,则它将处理该帐户。否则,它是这些&#34;幻像访问之一&#34;实际上没有授予列表项的直接访问权限