我正在尝试找到一种获取AD用户和AD组列表的方法,这些用户和AD组可以访问已经断开继承的文件夹或文件。我不需要知道如何找到继承被破坏,我已经得到了那个部分,但我遇到了找到每个有权访问的用户或组的问题。我不想看到AD组中的用户是什么,我只想查看正在访问该文件夹的组的名称。这背后的用例是我们不希望向单个用户共享安全文件夹。所有这些必须仅由AD组控制(站点所有者无权将用户添加到安全文件夹)。还需要确定文件夹中是否有任何文件没有从文件夹继承,并且还分享给各个用户而不是AD组(希望这是有道理的)。以下是我到目前为止所做的工作,但是由于某种原因,它返回的用户可以在其他地方访问该网站,而且访问权限受限的用户也必须在以后清理。
这是我到目前为止编写的代码。它接收文件或文件夹的item对象以及对字符串的引用。它扫描访问,然后构建由分号分隔的用户列表,如果其中一个spuser对象是用户而不是组,则返回true:
/// <summary>
/// Provides list of users\groups that have access to a List Item.
/// </summary>
/// <param name="spListItem">Item to check access of</param>
/// <returns>semi colon delimited list of users\groups with access in a referenced list and boolean value indicating if a direct user exists</returns>
public bool GetListItemUserAccess(SPListItem spListItem, ref string accountsWithAccess)
{
//string accountsWithAccess = string.Empty;
bool IsFirstIteration = true;
bool domainUserExits = false;
SPRoleAssignmentCollection spItemRoles = spListItem.RoleAssignments;
SPRoleDefinitionCollection rolesInWeb = spListItem.Web.RoleDefinitions;
foreach(SPRoleAssignment spRole in spItemRoles)
{
SPPrincipal spPrincipal = spRole.Member;
//cast as SPGroup or SPUser to determine if is a SPGroup or User
if((spPrincipal as SPGroup) != null)
{
SPGroup spGroup = spPrincipal as SPGroup;
SPUserCollection usersInGroup = spGroup.Users;
//report on each user in group
foreach(SPUser spUser in usersInGroup)
{
//check to see if it is a user group
if(!spUser.IsDomainGroup)
{
domainUserExits = true;
}
//add to list for report.
if(IsFirstIteration)
{
IsFirstIteration = false;
}
else
{
accountsWithAccess += ";";
}
//depending on the account type sometimes the Login name has the credentials and sometimes it has
//a UID
if (spUser.LoginName.ToLower().Contains("<company name>"))
{
accountsWithAccess += this.ParseUserIDFromClaim(spUser.LoginName);
}
else
{
accountsWithAccess += this.ParseUserIDFromClaim(spUser.Name);
}
}
}
else if((spPrincipal as SPUser) != null)
{
//check to see if the user has limited access only (we don't report on this as this occurs when user has access to something in site)
if(!spListItem.DoesUserHavePermissions(spPrincipal as SPUser, SPBasePermissions.ViewListItems))
{
continue;
}
//check to see if it is a user group
if (!(spPrincipal as SPUser).IsDomainGroup)
{
domainUserExits = true;
}
//add to list for report.
if(IsFirstIteration)
{
IsFirstIteration = false;
}
else
{
accountsWithAccess += ";";
}
//depending on the account type sometimes the Login name has the credentials and sometimes it has
//a UID
if (spPrincipal.LoginName.ToLower().Contains("<company name>"))
{
accountsWithAccess += this.ParseUserIDFromClaim(spPrincipal.LoginName);
}
else
{
accountsWithAccess += this.ParseUserIDFromClaim(spPrincipal.Name);
}
}
}
return domainUserExits;
}
答案 0 :(得分:0)
所以问题是代码返回有权访问该文件夹的用户或组,但它也返回对该项具有有限访问权限的其他用户,因为他们可以访问该站点中的其他位置。
我最后通过插入以下代码纠正了这个问题:
if (spRole.RoleDefinitionBindings.Count > 1 || !spRole.RoleDefinitionBindings.Xml.ToString().Contains("Limited Access"))
{
//Process accounts
}
这样做的目的是,如果用户为列表项绑定了多个角色,或者他们拥有的角色不是受限访问,则它将处理该帐户。否则,它是这些&#34;幻像访问之一&#34;实际上没有授予列表项的直接访问权限