Removing user permissions from a list item

Programmatically modifying the item-level permissions in a list involves manipulation of the role assignments collection for that item.

This example shows how to remove a specific role definition from each of the members of a user collection:
/// <Summary>
/// Remove a role definition from each of the members of a user collection for a list item
/// </Summary>
/// <Param name = "item"> the list item </param>
/// <Param name = "uservals"> the collection of users who are to have the role definition removed </param>
/// <Param name = "def"> the role definition to remove </param>
Internal static void removeroledefinitionfromusers (splistitem item, spfielduservaluecollection uservals, sproledefinition DEF)
{
If (uservals! = NULL)
{
Foreach (spfielduservalue userval in uservals)
{
Spuser user = userval. user;
Sproleassignment role = item. roleassignments. getassignmentbyprincipal (spprincipal) User );
If (role! = NULL)
{
If (role. roledefinitionbindings. Contains (DEF ))
{
Role. roledefinitionbindings. Remove (DEF );
Role. Update ();
Item. systemupdate (false );
}
}
}
}
}

========================================================== ==============================

Sproledefinition is used to define a role (that is, the "permission level" mentioned above ).
Its important attributes include:
Name: role name
Description: Role description.
Basepermissions: Role permissions (that is, detailed permissions are specified here)
In addition, the type attribute is of the sproletype Enumeration type. In the same way as 2003, the enumerated entries are also the same, indicating that by default, there are still several roles.
In addition, the permission enumeration is sprights in 2003, but this item is also declared as obsolete in 2007, and replaced by spbasepermissions (in fact, the content difference is not much)

 

Sproleassignment is used for permission allocation. It is relatively simple and has only three public attributes:
Member: Who will assign permissions
Parent: Assign permissions on something
Roledefinitionbindings: Permission assigned
From the name of the last thing, in section 2007, permission allocation has actually changed to role binding.
Take a look at the above three items in turn
Member is of the spprincipal type (it is actually equivalent to the spmember in 2003) and is the parent class of spuser and spgroup.
Parent: a class that implements the isecurityxxxx interface (this interface is implemented for classes that can be assigned permissions in 2007)
Roledefinitionbindings: it can be understood as a collection of sproledefinition (although there are some differences in the object model)

In 2007
Each item that can be assigned permissions (spweb, splist, splistitem, etc.) has a roleassignments attribute, which is a property of the sproleassignmentcollection type and is used to assign permissions.
In addition, the roledefinitions attribute is available in spweb (only available in spweb, that is, the role can only be defined on the website)

For example,
For example, if we want to assign a user a permission on the list, the permission uses a role named "XXX ".
The Code is as follows:

 SPRoleAssignment ra = new SPRoleAssignment(user);
SPRoleDefinition rd = web.RoleDefinitions["xxx"];
ra.RoldDefinitionBindings.Add(rd);
list.RoleAssignments.Add(ra);

For example, modify the permissions of a user:

 SPRoleAssignment ra = list.RoleAssignments.GetAssignmentByPrincipal(user);
SPRoleDefinition rd = web.RoleDefinitions["xxx"];
ra.RoldDefinitionBindings.Add(rd);
ra.Update();

However, if the permissions on this list were previously inherited from the website,
The above Code does not automatically modify the inheritance, but throws an exception.
We must manually remove this inheritance relationship:

 list.BreakRoleInheritance(true);

True in the parameter indicates re-copy the inherited permission (if you do not change it, it is the same as the website permission). If it is false, use the default permissions defined in the list template.

 

When using "parallelism (bool) and resetroleinheritance ()", make sure that "allowunsafeupdates = true" of currweb is "allowunsafeupdates = true". Then, use "allowunsafeupdates = true" again to make, this allows you to add permissions to the 'permission set' in the future.

Example:

Guid siteId=SPControl.GetContextSite(HttpContext.Current).ID;     
SPSecurity.RunWithElevatedPrivileges(delegate()
 {
using(SPSite site=new SPSite(siteId))
  {
using(SPWeb web=site.openweb())
      {
         SPRoleAssignment assignment = web.RoleAssignments.GetAssignmentByPrincipal((SPPrincipal)web.CurrentUser);
 
         StringBuilder sb = new StringBuilder("");

foreach (SPRoleDefinition role in assignment.RoleDefinitionBindings)
         {
          sb.AppendLine(role.Name);
          sb.AppendLine(role.BasePermissions.ToString());
          sb.AppendLine("#");
          }
       lblErrorMessage.Text = sb.ToString();
      }
 }
});