我正试图找到一种方法来获取可以访问已破坏继承的文件夹或文件的AD用户和AD组的列表。我不需要知道如何找到继承打破,我已经得到了那部分,但我有问题找到每个用户或组有访问权。我不想看到AD组中的用户,我只想看到正在访问文件夹的组的名称。这背后的用例是我们不希望将受保护的文件夹共享给单个用户。所有这些都必须由AD组控制(站点所有者没有权限将用户添加到安全文件夹)。还需要找出文件夹中是否有任何文件不是从文件夹继承的,并且也共享给个人用户而不是AD组(希望这有意义)。这是我到目前为止所拥有的,它在一定程度上起作用,但由于某种原因,它返回了可以访问其他站点的用户,以及访问受限的用户,我必须稍后清理。
这是我到目前为止写的代码。它接受文件或文件夹的item对象和对字符串的引用。它扫描访问,然后构建一个以分号分隔的用户列表,如果spuser对象之一是用户而不是组,则返回true:
/// <summary>
/// Provides list of usersgroups that have access to a List Item.
/// </summary>
/// <param name="spListItem">Item to check access of</param>
/// <returns>semi colon delimited list of usersgroups with access in a referenced list and boolean value indicating if a direct user exists</returns>
public bool GetListItemUserAccess(SPListItem spListItem, ref string accountsWithAccess)
{
//string accountsWithAccess = string.Empty;
bool IsFirstIteration = true;
bool domainUserExits = false;
SPRoleAssignmentCollection spItemRoles = spListItem.RoleAssignments;
SPRoleDefinitionCollection rolesInWeb = spListItem.Web.RoleDefinitions;
foreach(SPRoleAssignment spRole in spItemRoles)
{
SPPrincipal spPrincipal = spRole.Member;
//cast as SPGroup or SPUser to determine if is a SPGroup or User
if((spPrincipal as SPGroup) != null)
{
SPGroup spGroup = spPrincipal as SPGroup;
SPUserCollection usersInGroup = spGroup.Users;
//report on each user in group
foreach(SPUser spUser in usersInGroup)
{
//check to see if it is a user group
if(!spUser.IsDomainGroup)
{
domainUserExits = true;
}
//add to list for report.
if(IsFirstIteration)
{
IsFirstIteration = false;
}
else
{
accountsWithAccess += ";";
}
//depending on the account type sometimes the Login name has the credentials and sometimes it has
//a UID
if (spUser.LoginName.ToLower().Contains("<company name>"))
{
accountsWithAccess += this.ParseUserIDFromClaim(spUser.LoginName);
}
else
{
accountsWithAccess += this.ParseUserIDFromClaim(spUser.Name);
}
}
}
else if((spPrincipal as SPUser) != null)
{
//check to see if the user has limited access only (we don't report on this as this occurs when user has access to something in site)
if(!spListItem.DoesUserHavePermissions(spPrincipal as SPUser, SPBasePermissions.ViewListItems))
{
continue;
}
//check to see if it is a user group
if (!(spPrincipal as SPUser).IsDomainGroup)
{
domainUserExits = true;
}
//add to list for report.
if(IsFirstIteration)
{
IsFirstIteration = false;
}
else
{
accountsWithAccess += ";";
}
//depending on the account type sometimes the Login name has the credentials and sometimes it has
//a UID
if (spPrincipal.LoginName.ToLower().Contains("<company name>"))
{
accountsWithAccess += this.ParseUserIDFromClaim(spPrincipal.LoginName);
}
else
{
accountsWithAccess += this.ParseUserIDFromClaim(spPrincipal.Name);
}
}
}
return domainUserExits;
}
所以问题是代码不仅返回对文件夹有访问权限的用户或组,而且还返回对项目有有限访问权限的其他用户,因为他们在网站的其他地方有访问权限。
我最终通过插入以下代码纠正了这个问题:
if (spRole.RoleDefinitionBindings.Count > 1 || !spRole.RoleDefinitionBindings.Xml.ToString().Contains("Limited Access"))
{
//Process accounts
}
这样做的目的是,如果用户为列表项绑定了多个角色,或者他们拥有的角色不是有限访问,它将处理该帐户。否则,它就是这些"幻影访问"之一,实际上并没有授予对列表项