Freitag, 22. August 2014

Check if CurrentUser belongs to a SharpeointGroup due to AD-Groups

Recently I had to check if a User belongs to specific SharePoint-Groups. While SPUser.Groups worked well as long as the user was directyl added to the Groups, it did not work when an Active-Directory Group that the user belongs to was added to a SharePoint-Group.

I first tried by resolving the AD-Groups iteratively, however that was obviously quite slow and expensive. There had to be a better solution and I found it:

As SharePoint uses Claims-Authentication (by Default in 2013) all the AD-Groups (at least their SIDs) are alredy in the users Claims, including their complete hirarchy.

So all you have to do is something like:

var claims = ((Microsoft.IdentityModel.Claims.ClaimsIdentity) testuser.Identity).Claims;
to get the current Users Claims. In this Claims collection you have besides others the current users Groups, represented by their SIDs. You have to reference Microsoft.IdentityModel, which is usually located in GAC on a SP2013 Server.

To check if the user or one of it´s Groups belongs to a specific SharePoint-Group, you simply have to do:
SPSecurity.RunWithElevatedPrivileges(delegate{
   using (var elevatedSite = new SPSite(SPContext.Current.Site.ID))
{
   var web = elevatedSite.RootWeb;
var group = web.SiteGroups.GetByName(groupName);
foreach (SPUser user in group.Users)
{
   if (user.IsDomainGroup)
{
   //var users = new List();
var sid = user.LoginName.Split('|')[1];
if (claims.Any(c => String.Equals(c.Value, sid, StringComparison.CurrentCultureIgnoreCase)))
{
   returnValue = true;
break;
}
} 
   else if (user.LoginName == userName)
{
returnValue = true;
break;
}
}
}
});

Maybe there is a simple way to get all SharePoint-Groups, where one of the SIDs belong to, too. I did not try that yet.

Keine Kommentare:

Kommentar veröffentlichen