jQuery to the Rescue: Displaying/Hiding Content based on User Permissions or “When Edit Items permissions don’t work…”
Author: Jim Bob Howard
Problem
I recently had a request to create an "intake" list to report Employee Injuries and Illnesses to HR. The requirements were that the Employee could create a list item, but not edit it. Seems simple enough: Create a permission that looks like Contribute, but remove Edit Items.
But, another requirement blew that out of the water: A created workflow needs to perform some lookups on the Employee, the Supervisor, an Assistant Supervisor (if any), and Medical Staff (if any); and then write those bits of data out to the list item, too. Since workflows run under the ID of the person who performed the task that caused them to fire, this workflow requires Edit Items permission.
OK, well, how about we start them off with Edit Items, run the workflow to make the updates, and have the last step in the workflow change the permissions on the item to Read for this user?
You can do that, but you wouldn’t get the results you were hoping for.
SharePoint ORs all inherited permissions to determine if the user can perform a task. In other words, a user can edit a list item if:
- They have Edit Items permission on the item, OR
- They have Edit Items permission on the list, OR
- They have Edit Items permission on the site
So, even though they have Read permission on the item, they have Edit permission on the list so they can still edit the item.
Solution:
Here’s a solution that will help with this situation.
First, using SPD, you’ll need to edit the EditForm.aspx for the list and use IfHasRights() as a condition for displaying an editable field or just the text of the field. In my situation, users who CAN edit are those with Manage Permissions permission, which Contribute doesn’t have. So, I used a <xsl:choose> structure to check for IfHasRights(33554432).
Next, using Marc Anderson’s jQuery Library for SharePoint Web Services, you’ll need to hide the Edit Item button on the DispForm.aspx if the user doesn’t have Manage Permissions and doesn’t have Full Control of the list. (Full Control has a permissions mask of 9223372036854775807, but is not the sum of all the permissions it has.) The following jQuery code accomplishes this (add it to a hidden CEWP at the bottom of the page, though Marc recommends a different approach).
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.2.6/jquery.min.js" type="text/javascript"></script>
<script src="/js/jquery.SPServices-0.4.7.min.js" type="text/javascript"></script>
<script type="text/javascript">
$(document).ready(function() {
$().SPServices({
operation: "GetRolesAndPermissionsForCurrentUser",
async: false,
completefunc: function(xData, Status) {
// alert(xData.responseXML.xml);
var userPerm = $(xData.responseXML).find("[nodeName=Permissions]").attr("Value");
// alert("userPerm = " + userPerm);
var nonAdminP = (33554432 & userPerm) == 33554432;
// alert("nonAdminP == 33554432: " + nonAdminP);
var adminP = userPerm == 9223372036854775807;
// alert(adminP);
var hideEdit = !(nonAdminP | adminP);
// alert("hideEdit = " + hideEdit);
if (hideEdit) {
//alert("Hide");
$("a[title='Edit Item']").parent().parent().parent().hide();
$("td.ms-separator:nth-child(2)").hide();
}
}
});
});
</script>
To see how it’s working and what each step is returning, uncomment the alerts.
Hope that helps someone.
Author: Jim Bob Howard
Jim Bob Howard is a web designer / web master in the healthcare industry. He has been working with SharePoint only since March 2009 and enjoys sharing what he has learned. You can email him at [email protected].
- jQuery to the Rescue - Automate All Day Event
- jQuery to the Rescue - Default Text Based on Radio Button Click
- jQuery to the Rescue: Writing a Survey ID to a List on Response Creation (w/o Workflow)
- jQuery to the Rescue: Requesting a review only once per user
- jQuery to the Rescue: Displaying/Hiding Content based on User Permissions or "When Edit Items permissions don't work..."
- jQuery to the Rescue: Labeled Sections on Default Forms
I’ve looked for a solution to check currentUser permission for a sharepoint list which does not inherit site permissions.
I did not get such permisions with GetRolesAndPermissionsForCurrentUser.
May be is there any way around?
Dear Vladimir,
Take out the comment lines here:
// alert(xData.responseXML.xml);
There are other permissions tags in the XML. See if one of those will get you what you need. Hope that helps.
Blessings,
Jim Bob
There is no xData.responseXML.xml. It’s underfined
Here is the full responseXML.
An this come from site not from list. Don’t forget to make a List with unique permissions.
var xd=''; function isHasRights(){ var r = false; $().SPServices({ operation: "GetRolesAndPermissionsForCurrentUser", async: false, completefunc: function(xData, Status) { //alert(xData.responseXML.xml); xd=xData; var userPerm = $(xData.responseXML).find("[nodeName=Permissions]").attr("Value"); var userRole = $(xData.responseXML).find("[nodeName=Role]").attr("Name"); alert(userRole); alert("userPerm = " + userPerm); var nonAdminP = (33554432 & userPerm) == 33554432; //alert("nonAdminP == 33554432: " + nonAdminP); var adminP = userPerm == 9223372036854775807; alert(adminP); r = (nonAdminP | adminP) ? true : false; alert(r); } }); return r; }I put in:
$(function(){ isHasRights() }Then in Google Chrome in console I’ve looked for xd variable
I’m going to have to punt his one to Marc Anderson…
Marc?
Vladimir:
There are several different ways to get that information, depending on where you want to do it. Since we can’t post code easily here, can you post what you’re seeing over on my SPServices Codeplex site in the Discussions? I’m sure we can get things running for you.
M.
Marc and Jim Bob – Vladimir sent me his code, so I’ve updated his comment. — Mark
Vladimir:
Since you showed me the results you are getting, we know that the call is working. If you look at the SDK, the GetRolesAndPermissionsForCurrentUser method returns roles and permissions at the site level. There are other Web Services available that may be more useful for what you are trying to do. Take a look at the Permissions.GetPermissionCollection Method. Keep in mind that you may need to combine several Web Services calls to get exactly what you want.
M.
I am trying to do something sslightly different. Any suggestions?
I am creating a “Contact Me” list for anonymous users. I want them to be able to add entries, but no unathenticaed users (hackers) should have access to the list.
There are setting on a list that enable users to see only their own entires, but this setting doesn’t work for an anonymous list.
Right now the only thing I can think of is to create a workflow that sends off an email to another list with the contents of the Contact Me entry. This email would be sent off to a list that is locked down. After the email is sent, the workflow would delete the entry.
Thoughts?
P.S.
Is there any Enduser SharePoint way of adding a “Captcha” field to ensure a human is filling out the Contact Me form?