Understand SharePoint Permissions - Part 2. Check SharePoint user/group permissions with Permissions web service and JavaScript


In Part 1. I have mentioned that you can check user permissions without using any of SharePoint OM, or you can perform permission check on remote site/application. In this post you are going see a simple example of how to do it.

The goal here is to create a new web application with web service reference to SharePoint Permission web service. This web application only has one default.aspx page with two drop down lists on it.

First drop down list (DDL) pre-populates data with SharePoint users/groups name returned by GetPermissionCollection method of Permissions web service. Second DDL contains list of SPBasePermissoions permissions.

JavaScript function will be used to check if user/group selected in first DDL has permission right selected in second DDL. An image will be displayed to indicates the result.

James Tsai .Net SharePoint Blog - Two Drop Down Lists

Project Setup

Create a new ASP.NET project with standard project template and then add Web Service reference. Two image files also included in project for displaying the result.

James Tsai .Net SharePoint Blog - New web application with WS reference

The web service URL is http://<site url>/_vti_bin/permissions.asmx and we named it SharePointPermissionsService

James Tsai .Net SharePoint blog - Add Permission Web Service Reference


Create Drop Down Lists

<!-- default.aspx -->

<div style="float:left;">

        <asp:DropDownList ID="ddlUserGroup" runat="server" />

        <select name="ddlPermissionSet" id="ddlPermissionSet" onChange="DoPermissionCheck()">

                <option value="0x0000000000000001">ViewListItems</option>

                <option value="0x0000000000000002">AddListItems</option>

                <!--....................more permissions here........-->

                <option value="0x0000010000000000">EditMyUserInfo</option>



<div id="divFailed" style="display:none">

                <img src="Image/failed.gif" />


<div id="divPassed" style="display:none">

                <img src="Image/passed.gif" />


First div contains two drop down lists. One is ASP DropDownList control and its options are loaded from server side. And other one is normal html drop down list with options from the permissions table from Part 1.

The first ASP DropDownList control is pre-populated with following code


//Add reference to web serivce proxy we created earlier
using SharePointPermissionsService;
//Add other references here
public partial class _Default : System.Web.UI.Page
    protected void Page_Load(object sender, EventArgs e)
        if (!IsPostBack)
        /*Create web service instance*/
            Permissions p = new Permissions();
        /*make call to GetPermissionCollection method with site name "Sandbox" and type "Web"*/
            XmlNode node = p.GetPermissionCollection("Sandbox", "Web");
            using (XmlNodeReader reader = new XmlNodeReader(node))
        /*load dataset from xmlreader*/
                DataSet ds = new DataSet();               
        /*data binding*/
                ddlUserGroup.DataSource = ds.Tables[1];
                ddlUserGroup.DataTextField = "GroupName"; //bind display text to GroupName
                ddlUserGroup.DataValueField = "Mask";  // bind option value to Mask value

Remember, you must make sure the user running the context has permission to access SharePoint web service. Or you can use

p.Credentials = <create new credential here> to call web service with specific credential in the code above.

GetPermissionCollection returns data in following format














            GroupName="Sandbox Members"


        <!--.....More permissions here.....-->






            GroupName="Quick Deploy Users"




Two drop down lists will be displayed as following

James Tsai .Net SharePoint Blog - User Group Name Drop Down List

James Tsai .Net SharePoint Blog - Permission Drop Down List

Create permission check function

Permission DDL has its onClick event registered with DoPermissionCheck() JavaScript function. DoPermissionCheck() is where you perform bitwise operation to compare user/group mask with each permission.

DoPermissionCheck() does four things

1. Get selected values of both DDL

2. Convert selected decimal value from ddlUserGroup DDL to Hex base16.

3. Get high and low masks from user mask and permission mask (in Hex base 16)

4. Perform bitwise AND operation on two high masks and two low masks.

If you look closer, you will find it has similar implementation to HasRights(), EqualRights(), SetCurrentPermMaskFromString() functions from CORE.JS in SharePoint. SharePoint uses these three JavaScript functions to check user permissions (like what we doing here) to display correct list item context menu for user.


function DoPermissionCheck()
        /*get first dropdownlist selected value*/
        var uSelectedIndex = document.getElementById("<%Response.Write(ddlUserGroup.ClientID);%>").selectedIndex
        var uSelectedValue = document.getElementById("<%Response.Write(ddlUserGroup.ClientID);%>").options[uSelectedIndex].value
        /*get second dropdownlist selected value*/
        var pSelectedIndex  = document.getElementById("ddlPermissionSet").selectedIndex
        var pSelectedValue = document.getElementById("ddlPermissionSet").options[pSelectedIndex].value           
        /*convert user mask to hex base 16 (use toString(16))*/
        var maskInDecimal = parseInt(uSelectedValue);
        var userP = maskInDecimal.toString(16);       
        var requiredP = pSelectedValue;
        /*get masks length*/
        var requiredPL = requiredP.length;
        var userPL = userP.length;            
        /*get high and low permisison mask    */
        var requiredPermMaskH=parseInt(requiredP.substring(2, requiredPL - 8), 16);
        var requiredPermMaskL=parseInt(requiredP.substring(requiredPL - 8, requiredPL), 16);           
        /*get high and low user/group mask*/
        var userPermMaskH;
        var userPermMaskL;
        if(userP.length <=10 )
                userPermMaskH=parseInt(userP.substring(2, userPL - 8), 16);
                userPermMaskL=parseInt(userP.substring(userPL - 8, userPL), 16);
        /*do bitwise AND operation*/
        if(((requiredPermMaskL & userPermMaskL)==requiredPermMaskL)
                && ((requiredPermMaskH & userPermMaskH)==requiredPermMaskH))
                document.getElementById("divPassed").style.display = "";
                document.getElementById("divFailed").style.display = "none";
                document.getElementById("divPassed").style.display = "none";
                document.getElementById("divFailed").style.display = "";

Now you can select different user/group and permission to see the image change.

James Tsai .Net SharePoint Blog - User Has No Permission example

And of course you can implement above method in C# to perform permission check on server side. You can also extend this control to check user permissions on list level. (If your list does not inherit permissions from parent web site)

Just change web service call to GetPermissionCollection(<list name>, "List");

Easy, isn't it?

blog comments powered by Disqus