I created this command because I was trying to debug an issue I was having. If you go through the central admin and remove a site permission for a web app (central admin > app management > user permissions for web applications) certain functionality that should work regardless of what setting you’ve removed no longer functions. For example – I removed “Apply Themes and Borders” for my intranet app:
I then went to site settings for one of my site collections and clicked the “Related Links Scope Settings” under Site Administration. The result is that I get an access denied error. The reason is that the code for this feature is checking whether the user's Effective Base Permissions match the FullMask permission:
“0x7fffffffffffffffL” corresponds to the SPEffectiveBasePermissions.FullMask permission. In my case my account is a site collection administrator and site owner so I should always have full control over the site but because I’ve denied the apply themes and borders permission the permissions that come back for my user are as follows:
C:\>stsadm -o gl-enumeffectivebaseperms -url "http://intranet/hr" ViewListItems, AddListItems, EditListItems, DeleteListItems, ApproveItems, OpenItems, ViewVersions, DeleteVersions, CancelCheckout, ManagePersonalViews, ManageLists, ViewFormPages, Open, ViewPages, AddAndCustomizePages, ApplyStyleSheets, ViewUsageData, CreateSSCSite, ManageSubwebs, CreateGroups, ManagePermissions, BrowseDirectories, BrowseUserInfo, AddDelPrivateWebParts, UpdatePersonalWebParts, ManageWeb, UseClientIntegration, UseRemoteAPIs, ManageAlerts, CreateAlerts, EditMyUserInfo, EnumeratePermissionsIf I invert to see what permissions I’m missing I get the following:
C:\>stsadm -o gl-enumeffectivebaseperms -url "http://intranet/hr" -invert ApplyThemeAndBorder, FullMask
The gl-enumeffectivebaseperms command is something I threw together to help debug this particular issue. If I go back to the central admin and add the apply themes and borders permission and run the commands above again then I’ll get back that my account now has everything but the FullMask associated with it and I still cannot get into the related links scope settings.
It seems like if I've got everything then the FullMask should kick in - unfortunately not. Fortunately I had another command in my toolkit which allowed me to solve the problem. I had long ago created the gl-enableuserpermissionforwebapp command - all I had to do was to run this command passing in the FullMask parameter:
C:\>stsadm -o gl-enableuserpermissionforwebapp -fullmask -url http://webapp
After running this I can now get into the pages. This is basically all the above command is doing:
When reassigning the permissions via the browser it's not considering the case in which all items are selected and therefore the FullMask permission should be added back. There's no way to fix this via the browser but this custom command that I’d created some time ago does the trick.
This smells very much like a bug to me – the code should not be relying on that FullMask or the check should at least consider whether I have access to all permissions that are available and not whether I have all permissions. Because of this issue I'm unable to get into certain parts of the site collection administration without temporarily changing the user rights settings. The only other item I've come across is the site collection policies which has the same issue.
I'm not sure if there are others beyond these two - reflector won’t let me search for the 0x7ff…L string so I’m not sure of the scope of the problem. If anyone out there knows of something that I'm missing I'd love to hear it.
I'm not really sure how useful this command will be to others out there - I originally was just going to delete it once I was done with it but then changed my mind last minute - mainly because I know others must have bumped up against this same issue so hopefully this post, if not the command itself, will save someone some time.
The code is pretty simple - getting the permissions for the current user is real easy - just call the EffectiveBasePermissions property on an SPWeb object. To get the same for a user other than the one logged in is a bit more tricky. I had to use some reflection to call SPUtility.GetPermissions() method - it's the only method that I could find that would allow me to pass in a login (of course I had to call another internal method in order to get the SPUserToken object to pass into this method). If anyone knows of a simpler way, again, please let me know.The syntax of the command can be seen below:
C:\>stsadm -help gl-enumeffectivebaseperms stsadm -o gl-enumeffectivebaseperms Lists the effective base permissions for a user. Parameters: -url <web url> [-user <DOMAIN\name>] [-invert (shows what base permissions the user is missing)]Here's an example of how to return the effective base permissions for the currently logged in user:
The results of running this command are shown above.stsadm –o gl-enumeffectivebaseperms -url "http://intranet/hr"