Second Life of a Hungarian SharePoint Geek

January 29, 2015

The Pitfall of SharePoint Alerts

Filed under: Alerts, Bugs, SP 2010 — Tags: , , — Peter Holpar @ 22:50

Recently we received a complain from one of our users. She has created a subscription for alerts on changes of a list, but as she decided later to cancel the subscription, she got an error (access denied). The problem was easy to reproduce, and the reason was pretty straightforward as well. Users who have permissions on a specific list, but not on the parent site of the list may be affected by this “design issue”. We faced the error on SP 2010, but as far as I see it affects MOSS 2007 (WSS 3.0) and SP 2013 users as well.

image

For those of you who would like to know the technical background of the issue: you can create the alert from the list ribbon via the application page SubNew.aspx, and manage them via the MySubs.aspx page, both of them are located in the _layouts folder. The code behind class for these pages are the SubNewPage and the MySubsPage classes respectively from the assembly Microsoft.SharePoint.ApplicationPages (and the same namespace). There is no security check in the OnLoad method of the SubNewPage class (nor in its base classes), however in the OnLoad method of the MySubsPage class the CheckRights method of the LayoutsPageBase class (Microsoft.SharePoint assembly, Microsoft.SharePoint.WebControls namespace ) is called. This method checks, if the current user has DefaultLayoutsRights permission (that means SPBasePermissions.EmptyMask | SPBasePermissions.ViewFormPages | SPBasePermissions.Open | SPBasePermissions.ViewPages) on the parent web, and not on the list. If not, the user is not able to manage the alerts she created earlier.

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: