OK, so the title of this post could also have been “Best Practices for Determining if a User is a SPWeb Administrator”, but then the search engines wouldn’t catch the post for all those unfortunate enough to be searching for FullMask or DoesUserHavePermissions() in the future. The Problem OK, OK, in all seriousness though. There are a lot of content out there that recommend that people simply useSPContext.Current.Web.DoesUserHavePermissions(SPBasePermissions.FullMask) when trying to determine if the current user has Administrator rights to the current web site (SPWeb). This is all good and well, but it assumed that you have NEVER customized your web application available permissions list i.e. your effective base permissions. So what’s the problem, you may be wondering… The problem is in the way SharePoint behaves when you do indeed customize your permissions for the web app. If you dive into SharePoint Central Administration under Central Administration > Application Management > Permissions for Web Application you will find all the SharePoint base permissions and the ability to turn any one of these permissions off by simply unchecking it’s checkbox and then clicking the OK button… all except for one… FullMask. If you were to uncheck say UseClientIntegration (in order to disable desktop apps such as Office or SPD from editing content directly on the server) and then save that state, SharePoint will do two things.
- It will remove the UseClientIntegration bit flag from the permissions bit mask and
- because total full control is no longer possible for the web app, it will also remove the FullMask bit flag from the mask.
SPWebApplication wa = SPWebApplication.Lookup(new Uri(url)); wa.RightsMask = wa.RightsMask | SPBasePermissions.FullMask; wa.Update()If you’re adventurous, you can go ahead and write an app or even your own STSADM extension for that, but if you’re like me, you’ll be happy to know that Gary already did that! Simply go and get his MOSS or WSS extension methods for STSADM package from his Download Page. It comes all nicely packaged in a .wsp ready for deployment into your SharePoint environment. The STSADM operation you need is: gl-enableuserpermissionforwebapp and the proper syntax for it is as follows: stsadm -o gl-enableuserpermissionforwebapp -fullmask -url http://YourWebAppURL So there you go. The best practice for determining if a user is an administrator for a site and a way to fix it if your code is using FullMask and broke because someone played with permissions. Enjoy…