tags:

views:

232

answers:

1
Q: 

Sharepoint 2007: granting edit permissions to "Assigned To" user in a task list

Hi,

I've recently begun developing for sharepoint. I've just written an event receiver for a task list in order to grant edit permissions for the item to the user who is entered in the assigned to field.

Unfortunately my code doesn't work, and I think, I've also found the reason.

The list grants by default contribute rights to all users, so that every body can add a task. Under advanced, the item level permissions are set, so that all users can read all items, but they can only edit their own items.

When I create an item and check it permissions now, every user is already listed with contribute rights. They can also go to the edit form, but on submitting the updated item, a permission error is displayed.

And that is the point I'm stuck. If the users are already listed as contributors, but still can't change the item, what can I do to allow it?

I know how to add rights and brake role inheritance programmatically, but as contributors aren't allowed to update foreign items, it is useless.

My currently idea is: Under advanced, set edit access to "all items" and in the event receiver, in the ItemAdded event, breaking the role inheritance, adding the creator and "assigned to" user with contribute rights and the rest with read permissions.

But as the role inheritance is broken, what happens with new users? The will not be able to see tasks which were created before they joined the task list, I think. Also I'm unsure what performance issues it will cause.

Andy advices?

+1  A: 

Honestly this seems like a little bit of overkill managing permissions for each list item, but if that is your requirement... :) In my experience, just because people have access to edit all the items it doesn't mean they are going to edit someone elses items (honor system).

I would create two SharePoint groups:

  • List Item Visitors - for people who can read all list items
  • List Item Members - for people who can edit all list items

Then, disable the "edit only your items" option in your list settings.

Finally, in your event receiver, the code will add List Item Visitors with READ, List Item Members with CONTRIBUTE, and the Assignee with CONTRIBUTE.

This way, if new users come along that need to read all items: add them to the Visitors group. If there is a "admin" type person who needs to manage all items: add them to the Members group. Changing the Assignee will remove the old assignee and add the new assignee with CONTRIBUTE.

Kit Menke  2010-07-13 15:39:45
Hi, thanks for the answer :)But unfortunately the requirements strictly require, that the item is only editable by the creator and the assignee.In the meanwhile I got the idea, to set the editable option to all, and than check in the event receiver (updating), if the current logged in user is either the creator or the assignee of the item.This would also cause the less performance impact.I'm only afraid of the security lack due to the fact, if the event receiver is disabled, suddenly everybody can edit anything.(Even with the honor system, there always can be black sheep ;) )
yan.kun  2010-07-14 07:22:42

related questions

Can't copy file with appropriate permissions using FileIOPermission
GetProcessesByName() and Windows Server 2003 scheduled task
Starting a process in C# with username & password throws "Access is Denied" exception
How do you set directory permissions in NSIS?
PHP: How to check if a directory is writeable?
Sharepoint Item Level Access & performance
sudo echo "something" >> /etc/privilegedFile doesn't work... is there an alternative?
What is the best way to create a security architecture?
Hierarchical Group Permissions Theory/Resources?
Why is access denied when installing SSL cert on IIS 5?
What databases do I have permissions on
Can an iPhone App Be Run as Root?
SQLite/PHP read-only?
Multiple permission types (roles) stored in database as single decimal
SharePoint Permissions
CakePHP ACL Database Setup: ARO / ACO structure?
LINQ and Database Permissions
What's the best way to implement a SQL script that will grant select, references, insert, update, and delete permissions to a database role on all the user tables in a database?
php scripts writing to non-world-writable files
How do I detect if a function is available during JNLP execution?
Implementing permissions in PHP
Access Control Lists & Access Control Objects, good tutorial?
In Visual Studio you must be a member of Debug Users or Administrators to start debugging. What if you are but it doesn't work?
Where should I put my log file for an asp.net application?
What is the best way to handle multiple permission types?