search

SubPointSolutions / spmeta2

SharePoint artifact provision for .NET platform. Supports SharePoint Online, SharePoint 2019, 2016 and 2013 via CSOM/SSOM.
http://subpointsolutions.com/spmeta2
134 stars 56 forks source link

Set permissions on folders #1093

Closed thomasneuberger closed 6 years ago

thomasneuberger commented 6 years ago

In version 1.2.130 setting permissions on folders seems to be broken.

My model looks like this:

SPMeta2Model.NewWebModel(<webmodel>, web => {
    web.AddHostList(BuiltInListDefinitions.Pages, list => {
        list.AddHostFolder(<foldermodel>, folder => {
           folder.AddBreakRoleInheritance(new BreakRoleInheritanceDefinition{ CopyRoleAssignment = false, ClearSubScopes = true });
            folder.AddSecurityGroupLink(<groupmodel>, Group => {
                group.AddSecurityRoleLink(<rolename>);
            });
        });
    });
});

This ends up in the folder having no permission inheritance and only one permission for my user alone. In version 1.2.120, the group defined in has the role on the Folder.

I am using CSOM with SP2013.

avishnyakov commented 6 years ago

Hey @thomasneuberger , thanks for raising this up. We'll be looking into this shortly.

thomasneuberger commented 6 years ago

Hey guys and Girls,

it's me again with some update.

I realized that this issue exists in 1.2.120, too. I had to go all the way back to 1.2.95beta1 since it starts with 1.2.95beta3.

I can't imagine that this stayed unnoticed for all this time, so I am wonderin if I am doing something wrong. But I'm doing exactly the same as with the old SPMeta2 Version and the same as everywhere else for several years now.

avishnyakov commented 6 years ago

Hold on, you just made me realized that most likely, indeed, the model looks wrong.

We need to go one level deeper to get to the "updated object with broken permissions":

SPMeta2Model.NewWebModel(<webmodel>, web => {
    web.AddHostList(BuiltInListDefinitions.Pages, list => {
        list.AddHostFolder(<foldermodel>, folder => {
           // get deeper here, into object with broken permissions
           // attach role links to such object within callback on .AddBreakRoleInheritance()
            // it would be after breaking roles and before calling .Update() to apply/finilize security change
           folder.AddBreakRoleInheritance(new BreakRoleInheritanceDefinition{ CopyRoleAssignment = false, ClearSubScopes = true }, folderWithBrokenRoleInheritance => {

            folderWithBrokenRoleInheritance.AddSecurityGroupLink(<groupmodel>, Group => {
                    group.AddSecurityRoleLink(<rolename>);
                });
            });

        });
    });
});

Here is an example in doco with a few comments to make sense:

http://docs.subpointsolutions.com/spmeta2/reference/sp-foundation-definitions/breakroleinheritancedefinition.html

In nutshell, it has to do with update cycle while breaking permissions. We break inheritance, clear up stuff if needed, then add/link security group on the "inheritance broken object" (hence within callback), and then once we are done, SPMeta2 climbs the model tree back finalize and calling update on broken security handler. Again, this is a specific case of security and inheritance, and making it express in a fluent way with .AddXXX() methods.

I hope that makes sense, should work well. Shame I didn't notice this before.

thomasneuberger commented 6 years ago

Hi Anton,

both you and your eagle eye are awesome. Thanks for that (totally justified) RTFM. This works.

You can close this issue now.

avishnyakov commented 6 years ago

Very well!