Access Denied when attempting to add 'Link to Document'

Category: sharepoint 2010 general

Question

spi_shane on Tue, 13 Dec 2016 21:38:21


I have several sites all created from a template.

Within those sites are a Library, with Document Sets.  The 'Document Set' content type has 'Link to a Document' under it. 

User A - has Contribute Access to the library (in all of the sites)

User B - has Contribute Access to the library (in all of the sites)

User C - has Contribute Access to the library (in all of the sites)

The problems

User A for some of the sites (not all, only a minority of them) gets a message 'Access Denied' when they try to add a 'Link to a Document' inside the Document set.  Any other documents or Document sets they create they do not get an error.  The link actually gets created, just the URL that was entered is not saved. 

User B (using same PC and browser (log-out/log-in from same browser session) can add the links without issue in the site/library that User A has issues.  Logging back in as User A reverts to having the same issue.  (this is

User C said they had the same issue as User A, but it 'went away'. 

I have had User A reboot, we've tried giving Full Control to both the site as well as the library. 

-----------------------

Ideas? 

Replies

Victoria Xia on Wed, 14 Dec 2016 08:37:20


Hi,

Please check if the library and the document set both are inherited permission from their parent.

And please compare the permissions for User A, B and C at site level, library level and Document Set level to see if there are any difference.

Best Regards,

Victoria

spi_shane on Wed, 14 Dec 2016 13:19:19


yes it inherits. I even broke permissions at the Document Set level and gave the User A full control of both Document set and the Site, neither fixed his issue.

croute1 on Wed, 14 Dec 2016 19:02:03


Hi spi- obviously an account/permissions issue. As Victoria mentioned, humor us and check each level of permission again and make sure the user has access at all levels- the site, the page, the library, (the web part if there is one) the folder and the documents. Make sure they have contribute access especially to the document set & documents.

If you're positive all is well above, then remove any fine-grained permissions at each level one at a time and re-try after each one until the issue goes away. Then you'll know what level they're denied at.

waaromikniet on Wed, 04 Mar 2020 09:53:14


Ever found a solution? I am having the same issue

waaromikniet on Wed, 04 Mar 2020 12:16:50


I have found the problem using Reflector. When you add the 'Link to Document' CT to your list. The first time an item is added a column 'IconOverlay' is added to the list. The code from SharePoint.dll checks if the current user has manage list permissions on the web level. If yes then the column is added with the account of the logged in user. Otherwise it will be done with elevated privileges.

However, if you have manage list permission on web level, but your list has broken permissions, and on your list you don't have manage list permissions the code is not executed with elevated privileges. Because the check for permissions is done on the web level. In this case the field will be added with the user account. Because the user has no rights to add fields you get an access denies error.

This is the the code that is causing the error in Microsoft.SharePoint.SPlistItem

// Microsoft.SharePoint.SPListItem
internal void AddIconAndOverlay(string progid, string fileType, string overlayUrl)
{
	if (this.HasExternalDataSource)
	{
		SPExternalList.ThrowNotSupportedExceptionForProperty("IconOverlay", false, base.GetType());
	}
	string value = string.IsNullOrEmpty(overlayUrl) ? null : (progid + "|" + fileType + "|" + overlayUrl);
	if (this.EnsureIconOverlayField())
	{
		this[SPListItem.g_guidIconOverride] = value;
	}
}

private bool EnsureIconOverlayField()
{
	SPField fieldById = this.ParentList.Fields.GetFieldById(SPListItem.g_guidIconOverride, false);
	bool canEnsure = true;
	if (fieldById == null)
	{
		canEnsure = this.Web.DoesUserHavePermissions(SPBasePermissions.EditListItems);
		bool flag = this.Web.DoesUserHavePermissions(SPBasePermissions.ManageLists);
		if (canEnsure)
		{
			if (flag)
			{
				canEnsure = SPListItem.AddOverlayField(this.ParentList);
			}
			else
			{
				Guid siteId = this.Web.Site.ID;
				Guid webId = this.Web.ID;
				string listServerRelativeUrl = this.ParentList.RootFolder.ServerRelativeUrl;
				SPSecurity.RunWithElevatedPrivileges(delegate
				{
					using (SPSite sPSite = new SPSite(siteId))
					{
						using (SPWeb sPWeb = sPSite.OpenWeb(webId))
						{
							bool allowUnsafeUpdates = sPWeb.AllowUnsafeUpdates;
							try
							{
								sPWeb.AllowUnsafeUpdates = true;
								SPList list = sPWeb.GetList(listServerRelativeUrl);
								canEnsure = SPListItem.AddOverlayField(list);
							}
							finally
							{
								sPWeb.AllowUnsafeUpdates = allowUnsafeUpdates;
							}
						}
					}
					canEnsure = false;
				});
			}
		}
	}
	return canEnsure;
}

// Microsoft.SharePoint.SPListItem
using Microsoft.SharePoint.Diagnostics;

private static bool AddOverlayField(SPList parentList)
{
	bool flag = parentList.Fields.Contains(SPListItem.g_guidIconOverride);
	if (!flag)
	{
		SPWeb parentWeb = parentList.ParentWeb;
		ULS.SendTraceTag(1664251765u, ULSCat.msoulscat_WSS_General, ULSTraceLevel.Verbose, "Adding IconOverlay field since list {0} in site {1} does not already have it", parentList.Title, parentWeb.Url);
		SPField fieldById = parentWeb.AvailableFields.GetFieldById(SPListItem.g_guidIconOverride, false);
		if (fieldById != null)
		{
			string text = parentList.Fields.Add(fieldById);
			ULS.SendTraceTag(1664251766u, ULSCat.msoulscat_WSS_General, ULSTraceLevel.Verbose, "Added IconOverlay field {0} to list {1}", text, parentList.Title);
			flag = true;
		}
		else
		{
			ULS.SendTraceTag(1664251768u, ULSCat.msoulscat_WSS_General, ULSTraceLevel.Unexpected, "Icon overlay field {0} was not provisioned for site {1}", "IconOverlay", parentWeb.Url);
		}
	}
	return flag;
}