public void CreateCustomPermissionLevel(string permissionName)
{
try
{
context = AuthenticationManager.CreateClientContext(rootUrl, user, password);
var web = context.Web;
context.Load(web, w => w.Title, w => w.Description);
// Set up permissions.
BasePermissions permissions = new BasePermissions();
permissions.Set(PermissionKind.ManageLists);
permissions.Set(PermissionKind.CreateAlerts);
permissions.Set(PermissionKind.ViewListItems);
// create
RoleDefinitionCreationInformation roleDefinitionCreationInformation = new RoleDefinitionCreationInformation();
roleDefinitionCreationInformation.BasePermissions = permissions;
roleDefinitionCreationInformation.Name = permissionName;
roleDefinitionCreationInformation.Description = "Custom Permission Level";
context.Web.RoleDefinitions.Add(roleDefinitionCreationInformation);
//context.Load(roleDefinitionCreationInformation);
context.ExecuteQuery();
}
catch (Exception)
{
}
}
public void SetUpCustomPermissionLevels(ClientContext context, List<ShPermissionLevel> permissionLevels)
{
foreach (var permissionLevel in permissionLevels)
{
context.Load(context.Site.RootWeb.RoleDefinitions);
context.ExecuteQuery();
var existingPermissionLevel = context.Site.RootWeb.RoleDefinitions.FirstOrDefault(x => x.Name.Equals(permissionLevel.Name));
if (existingPermissionLevel == null)
{
Log.Info("Creating permission level " + permissionLevel.Name);
BasePermissions permissions = new BasePermissions();
foreach (var basePermission in permissionLevel.BasePermissions)
{
permissions.Set(basePermission);
}
RoleDefinitionCreationInformation roleDefinitionCreationInfo = new RoleDefinitionCreationInformation();
roleDefinitionCreationInfo.BasePermissions = permissions;
roleDefinitionCreationInfo.Name = permissionLevel.Name;
roleDefinitionCreationInfo.Description = permissionLevel.Description;
RoleDefinition roleDefinition = context.Site.RootWeb.RoleDefinitions.Add(roleDefinitionCreationInfo);
context.ExecuteQuery();
}
}
}
public void SetUpCustomPermissionLevels(ClientContext context, List <ShPermissionLevel> permissionLevels)
{
foreach (var permissionLevel in permissionLevels)
{
context.Load(context.Site.RootWeb.RoleDefinitions);
context.ExecuteQuery();
var existingPermissionLevel = context.Site.RootWeb.RoleDefinitions.FirstOrDefault(x => x.Name.Equals(permissionLevel.Name));
if (existingPermissionLevel == null)
{
Log.Info("Creating permission level " + permissionLevel.Name);
BasePermissions permissions = new BasePermissions();
foreach (var basePermission in permissionLevel.BasePermissions)
{
permissions.Set(basePermission);
}
RoleDefinitionCreationInformation roleDefinitionCreationInfo = new RoleDefinitionCreationInformation();
roleDefinitionCreationInfo.BasePermissions = permissions;
roleDefinitionCreationInfo.Name = permissionLevel.Name;
roleDefinitionCreationInfo.Description = permissionLevel.Description;
RoleDefinition roleDefinition = context.Site.RootWeb.RoleDefinitions.Add(roleDefinitionCreationInfo);
context.ExecuteQuery();
}
}
}
private static void CreateContributePermissionLevel(Web web)
{
// Create New Custom Permission Level
RoleDefinitionCreationInformation roleDefinitionCreationInformation = new RoleDefinitionCreationInformation();
BasePermissions perms = new BasePermissions();
perms.Set(PermissionKind.AddListItems);
perms.Set(PermissionKind.EditListItems);
perms.Set(PermissionKind.DeleteListItems);
perms.Set(PermissionKind.ViewListItems);
perms.Set(PermissionKind.ApproveItems);
perms.Set(PermissionKind.OpenItems);
perms.Set(PermissionKind.ViewVersions);
perms.Set(PermissionKind.DeleteVersions);
perms.Set(PermissionKind.CreateAlerts);
perms.Set(PermissionKind.ViewPages);
perms.Set(PermissionKind.BrowseDirectories);
perms.Set(PermissionKind.BrowseUserInfo);
perms.Set(PermissionKind.UseClientIntegration);
perms.Set(PermissionKind.Open);
perms.Set(PermissionKind.EditMyUserInfo);
perms.Set(PermissionKind.ManagePersonalViews);
perms.Set(PermissionKind.AddDelPrivateWebParts);
perms.Set(PermissionKind.UpdatePersonalWebParts);
roleDefinitionCreationInformation.BasePermissions = perms;
roleDefinitionCreationInformation.Name = "SCJ External Contribute";
roleDefinitionCreationInformation.Description = "Custom Permission Level - SCJ External Contribute";
web.RoleDefinitions.Add(roleDefinitionCreationInformation);
}
/// <summary>
/// Creates a new permission level in specified web context
/// </summary>
/// <param name="context">Client Context</param>
/// <param name="permissionLevelName">Name of permission level to be created</param>
/// <param name="description">Description of permission level to be created</param>
/// <returns>Boolean value indicating success of permission level creation</returns>
private static bool CreateNewPermissionLevel(ClientContext context, string permissionLevelName, string description)
{
string errorFilePath = Directory.GetParent(Directory.GetCurrentDirectory()) + "/" + "ErrorLog.txt";
bool isPermissionLevelCreated = false;
try
{
RemovePermissionLevelIfExists(context, permissionLevelName);
BasePermissions permissions = new BasePermissions();
// List Permissions
permissions.Set(PermissionKind.AddListItems);
permissions.Set(PermissionKind.EditListItems);
permissions.Set(PermissionKind.DeleteListItems);
permissions.Set(PermissionKind.ViewListItems);
permissions.Set(PermissionKind.OpenItems);
permissions.Set(PermissionKind.ViewVersions);
permissions.Set(PermissionKind.DeleteVersions);
permissions.Set(PermissionKind.CreateAlerts);
// Site Permissions
permissions.Set(PermissionKind.BrowseDirectories);
permissions.Set(PermissionKind.CreateSSCSite);
permissions.Set(PermissionKind.BrowseDirectories);
permissions.Set(PermissionKind.ViewPages);
permissions.Set(PermissionKind.BrowseUserInfo);
permissions.Set(PermissionKind.UseRemoteAPIs);
permissions.Set(PermissionKind.UseClientIntegration);
permissions.Set(PermissionKind.Open);
permissions.Set(PermissionKind.EditMyUserInfo);
// Personal Permissions
permissions.Set(PermissionKind.ManagePersonalViews);
permissions.Set(PermissionKind.AddDelPrivateWebParts);
permissions.Set(PermissionKind.UpdatePersonalWebParts);
// Extra Permissions
permissions.Set(PermissionKind.ManagePermissions);
permissions.Set(PermissionKind.EnumeratePermissions);
RoleDefinitionCreationInformation roleDefinitionCreationInfo = new RoleDefinitionCreationInformation();
roleDefinitionCreationInfo.BasePermissions = permissions;
roleDefinitionCreationInfo.Name = permissionLevelName;
roleDefinitionCreationInfo.Description = description;
context.Web.RoleDefinitions.Add(roleDefinitionCreationInfo);
context.Web.Update();
context.ExecuteQuery();
isPermissionLevelCreated = true;
Console.WriteLine("New permission level created [{0}]", permissionLevelName);
}
catch (Exception exception)
{
isPermissionLevelCreated = false;
ErrorLogger.LogErrorToTextFile(errorFilePath, "Message: " + exception.Message + "\nStacktrace: " + exception.StackTrace);
RemovePermissionLevelIfExists(context, permissionLevelName);
}
return(isPermissionLevelCreated);
}
/// <summary>
/// Creates a new permission level in specified web context
/// </summary>
/// <param name="context">Client Context</param>
/// <param name="permissionLevelName">Name of permission level to be created</param>
/// <param name="description">Description of permission level to be created</param>
/// <returns>Boolean value whether permission level created or not</returns>
private static bool CreateNewPermissionLevel(ClientContext context, string permissionLevelName, string description)
{
bool isPermissionLevelCreated = false;
try
{
RemovePermissionLevelIfExists(context, permissionLevelName);
BasePermissions permissions = new BasePermissions();
// List Permissions
permissions.Set(PermissionKind.AddListItems);
permissions.Set(PermissionKind.EditListItems);
permissions.Set(PermissionKind.DeleteListItems);
permissions.Set(PermissionKind.ViewListItems);
permissions.Set(PermissionKind.OpenItems);
permissions.Set(PermissionKind.ViewVersions);
permissions.Set(PermissionKind.DeleteVersions);
permissions.Set(PermissionKind.CreateAlerts);
// Site Permissions
permissions.Set(PermissionKind.BrowseDirectories);
permissions.Set(PermissionKind.CreateSSCSite);
permissions.Set(PermissionKind.BrowseDirectories);
permissions.Set(PermissionKind.ViewPages);
permissions.Set(PermissionKind.BrowseUserInfo);
permissions.Set(PermissionKind.UseRemoteAPIs);
permissions.Set(PermissionKind.UseClientIntegration);
permissions.Set(PermissionKind.Open);
permissions.Set(PermissionKind.EditMyUserInfo);
// Personal Permissions
permissions.Set(PermissionKind.ManagePersonalViews);
permissions.Set(PermissionKind.AddDelPrivateWebParts);
permissions.Set(PermissionKind.UpdatePersonalWebParts);
// Extra Permissions
permissions.Set(PermissionKind.ManagePermissions);
permissions.Set(PermissionKind.EnumeratePermissions);
RoleDefinitionCreationInformation roleDefinitionCreationInfo = new RoleDefinitionCreationInformation();
roleDefinitionCreationInfo.BasePermissions = permissions;
roleDefinitionCreationInfo.Name = permissionLevelName;
roleDefinitionCreationInfo.Description = description;
context.Web.RoleDefinitions.Add(roleDefinitionCreationInfo);
context.Web.Update();
context.ExecuteQuery();
isPermissionLevelCreated = true;
Console.WriteLine();
ErrorMessage.ShowMessage(string.Format(CultureInfo.InvariantCulture, ConfigurationManager.AppSettings["NewPermission"], permissionLevelName), ErrorMessage.MessageType.Success);
}
catch (Exception exception)
{
isPermissionLevelCreated = false;
ErrorLogger.LogErrorToTextFile(errorFilePath, "Message: " + exception.Message + "\nStacktrace: " + exception.StackTrace);
RemovePermissionLevelIfExists(context, permissionLevelName);
}
return(isPermissionLevelCreated);
}
public static RoleDefinition CreateRoleDefinition(this RoleDefinitionCollection roleDefinitions, BasePermissions permissions, string name, string description, int order)
{
RoleDefinitionCreationInformation roleDefCreateInfo = new RoleDefinitionCreationInformation
{
BasePermissions = permissions,
Name = name,
Description = description,
Order = order
};
return(roleDefinitions.CreateRoleDefinition(roleDefCreateInfo));
}
protected override void ExecuteCmdlet()
{
// Validate user inputs
RoleDefinition roleDefinition = null;
try
{
roleDefinition = ClientContext.Site.RootWeb.RoleDefinitions.GetByName(RoleName);
ClientContext.Load(roleDefinition);
ClientContext.ExecuteQuery();
}
catch { }
if (roleDefinition.ServerObjectIsNull == null)
{
var spRoleDef = new RoleDefinitionCreationInformation();
var spBasePerm = new BasePermissions();
if (ParameterSpecified(nameof(Clone)))
{
var clonePerm = Clone.GetRoleDefinition(ClientContext.Site);
spBasePerm = clonePerm.BasePermissions;
}
// Include and Exclude Flags
if (ParameterSpecified(nameof(Include)))
{
foreach (var flag in Include)
{
spBasePerm.Set(flag);
}
}
if (ParameterSpecified(nameof(Exclude)))
{
foreach (var flag in Exclude)
{
spBasePerm.Clear(flag);
}
}
// Create Role Definition
spRoleDef.Name = RoleName;
spRoleDef.Description = Description;
spRoleDef.BasePermissions = spBasePerm;
roleDefinition = ClientContext.Site.RootWeb.RoleDefinitions.Add(spRoleDef);
ClientContext.Load(roleDefinition);
ClientContext.ExecuteQueryRetry();
WriteObject(roleDefinition);
}
else
{
WriteWarning($"Unable to add Role Definition as there is an existing role definition with the same name. Will be skipped.");
}
}
/// <summary>
/// Imports the new RoleDefinitions.
/// </summary>
/// <exception cref="ElementsMigrationException">If migration fails</exception>
private void ImportNewRoleDefinitions()
{
Console.WriteLine("import new RoleDefinitions...");
Logger.AddMessage("import new RoleDefinitions...");
RoleDefinitionCollection sourceRoleDefinitionCollection = this.GetAllRollDefinitions(SourceClientContext);
RoleDefinitionCollection targetRoleDefinitionCollection = this.GetAllRollDefinitions(TargetClientContext);
HashSet <string> targetRoleDefinitionNames = targetRoleDefinitionCollection.ReadNames();
foreach (var sourceRoleDefinition in sourceRoleDefinitionCollection)
{
if (!targetRoleDefinitionNames.Contains(sourceRoleDefinition.Name))
{
Console.WriteLine("import roleDefinition '{0}'", sourceRoleDefinition.Name);
Logger.AddMessage("import RoleDefinition '" + sourceRoleDefinition.Name + "'");
RoleDefinitionCreationInformation creationObject = new RoleDefinitionCreationInformation();
creationObject.BasePermissions = sourceRoleDefinition.BasePermissions;
creationObject.Description = sourceRoleDefinition.Description;
creationObject.Name = sourceRoleDefinition.Name;
creationObject.Order = sourceRoleDefinition.Order;
RoleDefinition targetRoleDefinition = targetRoleDefinitionCollection.Add(creationObject);
try
{
targetRoleDefinition.Tag = sourceRoleDefinition.Tag;
}
catch (PropertyOrFieldNotInitializedException)
{
}
}
else
{
Console.WriteLine("don't have to import '{0}'", sourceRoleDefinition.Name);
Logger.AddMessage("don't have to import '" + sourceRoleDefinition.Name + "'");
}
}
try
{
TargetClientContext.ExecuteQuery();
}
catch (Exception e)
{
Console.WriteLine("Exception during importing new RoleDefinition.", e);
Logger.AddMessage("Exception during importing new RoleDefinition. Error = " + e.Message);
throw new ElementsMigrationException("Exception during importing new RoleDefinition.", e);
}
}
public DCTRoleDefinition DCMCreateRole(string rolename, string descriptioin)
{
using (DocLibContext context = new DocLibContext(ServiceHelper.GetDocumentLibraryName()))
{
RoleDefinitionCreationInformation roleCreationInfo = new RoleDefinitionCreationInformation()
{
BasePermissions = new BasePermissions(), Name = rolename, Description = descriptioin
};
context.Web.RoleDefinitions.Add(roleCreationInfo);
context.Load(context.Web.RoleDefinitions);
context.ExecuteQuery();
RoleDefinition roleDefinition = context.Web.RoleDefinitions.GetByName(rolename);
context.Load(roleDefinition);
context.ExecuteQuery();
DCTRoleDefinition dctRoleDefinition = new DCTRoleDefinition();
DCTConverterHelper.Convert(roleDefinition, dctRoleDefinition);
return(dctRoleDefinition);
}
}
private static void CreateReadPermissionLevel(Web web)
{
// Create New Custom Permission Level
RoleDefinitionCreationInformation roleDefinitionCreationInformation = new RoleDefinitionCreationInformation();
BasePermissions perms = new BasePermissions();
perms.Set(PermissionKind.ViewListItems);
perms.Set(PermissionKind.ApproveItems);
perms.Set(PermissionKind.OpenItems);
perms.Set(PermissionKind.ViewVersions);
perms.Set(PermissionKind.DeleteVersions);
perms.Set(PermissionKind.CreateAlerts);
perms.Set(PermissionKind.ViewFormPages);
perms.Set(PermissionKind.ViewPages);
perms.Set(PermissionKind.BrowseUserInfo);
perms.Set(PermissionKind.UseClientIntegration);
perms.Set(PermissionKind.Open);
roleDefinitionCreationInformation.BasePermissions = perms;
roleDefinitionCreationInformation.Name = "SCJ External Read";
roleDefinitionCreationInformation.Description = "Custom Permission Level - SCJ External Read";
web.RoleDefinitions.Add(roleDefinitionCreationInformation);
}
public virtual void Provision()
{
if (RoleDefinitions != null)
{
var existingRoleDefinitions = new List <string>();
foreach (var roleDef in _web.RoleDefinitions)
{
existingRoleDefinitions.Add(roleDef.Name);
}
foreach (var key in RoleDefinitions.Keys)
{
if (!existingRoleDefinitions.Contains(key))
{
OnNotify(ProvisioningNotificationLevels.Verbose, "Creating role definition " + key);
var creator = new RoleDefinitionCreationInformation
{
Name = RoleDefinitions[key].Name,
Description = RoleDefinitions[key].Description
};
var perms = new BasePermissions();
foreach (var p in RoleDefinitions[key].BasePermissions)
{
perms.Set(p);
}
creator.BasePermissions = perms;
creator.Order = RoleDefinitions[key].Order;
_web.RoleDefinitions.Add(creator);
}
else
{
OnNotify(ProvisioningNotificationLevels.Verbose, "Role definition " + key + " exists. Skipping");
}
}
_ctx.ExecuteQueryRetry();
}
}
public static void CreatePermissions(ClientContext clientContext)
{
Console.WriteLine("Adding custom permissions . . . ");
// add read permissions to a permission collection
BasePermissions permissions = new BasePermissions();
permissions.Set(PermissionKind.ViewPages);
permissions.Set(PermissionKind.ViewListItems);
RoleDefinitionCreationInformation roleDefinitionCreationInfo;
Microsoft.SharePoint.Client.RoleDefinition roleDefinition;
// create custom permission levels - adjust post-provision
roleDefinitionCreationInfo = new RoleDefinitionCreationInformation();
roleDefinitionCreationInfo.BasePermissions = permissions;
roleDefinitionCreationInfo.Name = ContentContributorName;
roleDefinitionCreationInfo.Description = ContentContributorName;
roleDefinition = clientContext.Web.RoleDefinitions.Add(roleDefinitionCreationInfo);
roleDefinitionCreationInfo = new RoleDefinitionCreationInformation();
roleDefinitionCreationInfo.BasePermissions = permissions;
roleDefinitionCreationInfo.Name = ContentManagerName;
roleDefinitionCreationInfo.Description = ContentManagerName;
roleDefinition = clientContext.Web.RoleDefinitions.Add(roleDefinitionCreationInfo);
roleDefinitionCreationInfo = new RoleDefinitionCreationInformation();
roleDefinitionCreationInfo.BasePermissions = permissions;
roleDefinitionCreationInfo.Name = VisitorName;
roleDefinitionCreationInfo.Description = VisitorName;
roleDefinition = clientContext.Web.RoleDefinitions.Add(roleDefinitionCreationInfo);
clientContext.ExecuteQuery();
}
/// <summary>
/// Assign permission to the group
/// </summary>
/// <param name="clientContext">Client context object</param>
/// <param name="collSite">Site object</param>
/// <param name="site">Web object</param>
/// <param name="currentGrp">Group object</param>
private static void AssignPermissionToGroup(ClientContext clientContext, Site collSite, Web site, Group currentGrp)
{
//Create permission role and assign group to the role
RoleDefinitionBindingCollection collRDB = new RoleDefinitionBindingCollection(clientContext);
RoleDefinition roleDef = site.RoleDefinitions.FirstOrDefault(roles => roles.Name == ConfigurationManager.AppSettings["restrictedAccessRoleName"]);
if (roleDef == null)
{
BasePermissions permissions = new BasePermissions();
permissions.Set(PermissionKind.UseRemoteAPIs);
permissions.Set(PermissionKind.Open);
RoleDefinitionCreationInformation rdcInfo = new RoleDefinitionCreationInformation();
rdcInfo.Name = ConfigurationManager.AppSettings["restrictedAccessRoleName"];
rdcInfo.Description = ConfigurationManager.AppSettings["restrictedAccessRoleDescription"];
rdcInfo.BasePermissions = permissions;
roleDef = collSite.RootWeb.RoleDefinitions.Add(rdcInfo);
}
collRDB.Add(roleDef);
site.RoleAssignments.Add(currentGrp, collRDB);
clientContext.Load(currentGrp);
clientContext.Load(collRDB);
clientContext.ExecuteQuery();
}
private void CreateCustomPermissionLevels(string siteUrl)
{
using (ClientContext clientContext = new ClientContext(siteUrl))
{
clientContext.Credentials = new SharePointOnlineCredentials(_generatorDefinition.Username, Utils.StringToSecureString(_generatorDefinition.Password));
Web web = clientContext.Site.RootWeb;
clientContext.Load(web);
clientContext.Load(web.AllProperties);
clientContext.Load(web.RoleDefinitions);
clientContext.ExecuteQuery();
var roleDefinitions = web.RoleDefinitions;
string[] rolesToCopy = new string[] { "Full Control", "Read", "Contribute" };
foreach (var role in rolesToCopy)
{
var roleDefinition = roleDefinitions.GetByName(role);
clientContext.Load(roleDefinition);
clientContext.ExecuteQuery();
if (roleDefinition != null)
{
RoleDefinitionCreationInformation roleDefinitionCreationInformation =
new RoleDefinitionCreationInformation();
roleDefinitionCreationInformation.BasePermissions = roleDefinition.BasePermissions;
roleDefinitionCreationInformation.Name = $"{role} - Custom";
roleDefinitions.Add(roleDefinitionCreationInformation);
clientContext.Load(roleDefinitions);
clientContext.ExecuteQuery();
}
}
}
}
/// <summary>
/// Assign permission to the group
/// </summary>
/// <param name="clientContext">Client context object</param>
/// <param name="collSite">Site object</param>
/// <param name="site">Web object</param>
/// <param name="currentGrp">Group object</param>
private static void AssignPermissionToGroup(ClientContext clientContext, Site collSite, Web site, Group currentGrp)
{
//Create permission role and assign group to the role
RoleDefinitionBindingCollection collRDB = new RoleDefinitionBindingCollection(clientContext);
RoleDefinition roleDef = site.RoleDefinitions.FirstOrDefault(roles => roles.Name == ConfigurationManager.AppSettings["restrictedAccessRoleName"]);
if (roleDef == null)
{
BasePermissions permissions = new BasePermissions();
permissions.Set(PermissionKind.UseRemoteAPIs);
permissions.Set(PermissionKind.Open);
RoleDefinitionCreationInformation rdcInfo = new RoleDefinitionCreationInformation();
rdcInfo.Name = ConfigurationManager.AppSettings["restrictedAccessRoleName"];
rdcInfo.Description = ConfigurationManager.AppSettings["restrictedAccessRoleDescription"];
rdcInfo.BasePermissions = permissions;
roleDef = collSite.RootWeb.RoleDefinitions.Add(rdcInfo);
}
collRDB.Add(roleDef);
site.RoleAssignments.Add(currentGrp, collRDB);
clientContext.Load(currentGrp);
clientContext.Load(collRDB);
clientContext.ExecuteQuery();
}
public override TokenParser ProvisionObjects(Web web, ProvisioningTemplate template, TokenParser parser, ProvisioningTemplateApplyingInformation applyingInformation)
{
using (var scope = new PnPMonitoredScope(this.Name))
{
// Changed by Paolo Pialorsi to embrace the new sub-site attributes to break role inheritance and copy role assignments
// if this is a sub site then we're not provisioning security as by default security is inherited from the root site
//if (web.IsSubSite() && !template.Security.BreakRoleInheritance)
//{
// scope.LogDebug(CoreResources.Provisioning_ObjectHandlers_SiteSecurity_Context_web_is_subweb__skipping_site_security_provisioning);
// return parser;
//}
if (web.IsSubSite() && template.Security.BreakRoleInheritance)
{
web.BreakRoleInheritance(template.Security.CopyRoleAssignments, template.Security.ClearSubscopes);
web.Update();
web.Context.ExecuteQueryRetry();
}
var siteSecurity = template.Security;
var ownerGroup = web.AssociatedOwnerGroup;
var memberGroup = web.AssociatedMemberGroup;
var visitorGroup = web.AssociatedVisitorGroup;
web.Context.Load(ownerGroup, o => o.Title, o => o.Users);
web.Context.Load(memberGroup, o => o.Title, o => o.Users);
web.Context.Load(visitorGroup, o => o.Title, o => o.Users);
web.Context.Load(web.SiteUsers);
web.Context.ExecuteQueryRetry();
if (!ownerGroup.ServerObjectIsNull())
{
AddUserToGroup(web, ownerGroup, siteSecurity.AdditionalOwners, scope, parser);
}
if (!memberGroup.ServerObjectIsNull())
{
AddUserToGroup(web, memberGroup, siteSecurity.AdditionalMembers, scope, parser);
}
if (!visitorGroup.ServerObjectIsNull())
{
AddUserToGroup(web, visitorGroup, siteSecurity.AdditionalVisitors, scope, parser);
}
foreach (var siteGroup in siteSecurity.SiteGroups
.Sort <SiteGroup>(
_grp => {
string groupOwner = _grp.Owner;
if (string.IsNullOrWhiteSpace(groupOwner) ||
"SHAREPOINT\\system".Equals(groupOwner, StringComparison.OrdinalIgnoreCase) ||
_grp.Title.Equals(groupOwner, StringComparison.OrdinalIgnoreCase) ||
(groupOwner.StartsWith("{{associated") && groupOwner.EndsWith("group}}")))
{
return(Enumerable.Empty <SiteGroup>());
}
return(siteSecurity.SiteGroups.Where(_item => _item.Title.Equals(groupOwner, StringComparison.OrdinalIgnoreCase)));
}
))
{
Group group;
var allGroups = web.Context.LoadQuery(web.SiteGroups.Include(gr => gr.LoginName));
web.Context.ExecuteQueryRetry();
string parsedGroupTitle = parser.ParseString(siteGroup.Title);
string parsedGroupOwner = parser.ParseString(siteGroup.Owner);
string parsedGroupDescription = parser.ParseString(siteGroup.Description);
if (!web.GroupExists(parsedGroupTitle))
{
scope.LogDebug("Creating group {0}", parsedGroupTitle);
group = web.AddGroup(
parsedGroupTitle,
//If the description is more than 512 characters long a server exception will be thrown.
PnPHttpUtility.ConvertSimpleHtmlToText(parsedGroupDescription, int.MaxValue),
parsedGroupTitle == parsedGroupOwner);
group.AllowMembersEditMembership = siteGroup.AllowMembersEditMembership;
group.AllowRequestToJoinLeave = siteGroup.AllowRequestToJoinLeave;
group.AutoAcceptRequestToJoinLeave = siteGroup.AutoAcceptRequestToJoinLeave;
group.OnlyAllowMembersViewMembership = siteGroup.OnlyAllowMembersViewMembership;
group.RequestToJoinLeaveEmailSetting = siteGroup.RequestToJoinLeaveEmailSetting;
if (parsedGroupTitle != parsedGroupOwner)
{
Principal ownerPrincipal = allGroups.FirstOrDefault(gr => gr.LoginName.Equals(parsedGroupOwner, StringComparison.OrdinalIgnoreCase));
if (ownerPrincipal == null)
{
ownerPrincipal = web.EnsureUser(parsedGroupOwner);
}
group.Owner = ownerPrincipal;
}
group.Update();
web.Context.Load(group, g => g.Id, g => g.Title);
web.Context.ExecuteQueryRetry();
parser.AddToken(new GroupIdToken(web, group.Title, group.Id));
var groupItem = web.SiteUserInfoList.GetItemById(group.Id);
groupItem["Notes"] = parsedGroupDescription;
groupItem.Update();
web.Context.ExecuteQueryRetry();
}
else
{
group = web.SiteGroups.GetByName(parsedGroupTitle);
web.Context.Load(group,
g => g.Id,
g => g.Title,
g => g.Description,
g => g.AllowMembersEditMembership,
g => g.AllowRequestToJoinLeave,
g => g.AutoAcceptRequestToJoinLeave,
g => g.OnlyAllowMembersViewMembership,
g => g.RequestToJoinLeaveEmailSetting,
g => g.Owner.LoginName);
web.Context.ExecuteQueryRetry();
var groupNeedsUpdate = false;
var executeQuery = false;
if (!String.IsNullOrEmpty(parsedGroupDescription))
{
var groupItem = web.SiteUserInfoList.GetItemById(group.Id);
web.Context.Load(groupItem, g => g["Notes"]);
web.Context.ExecuteQueryRetry();
var description = groupItem["Notes"]?.ToString();
if (description != parsedGroupDescription)
{
groupItem["Notes"] = parsedGroupDescription;
groupItem.Update();
executeQuery = true;
}
var plainTextDescription = PnPHttpUtility.ConvertSimpleHtmlToText(parsedGroupDescription, int.MaxValue);
if (group.Description != plainTextDescription)
{
//If the description is more than 512 characters long a server exception will be thrown.
group.Description = plainTextDescription;
groupNeedsUpdate = true;
}
}
if (group.AllowMembersEditMembership != siteGroup.AllowMembersEditMembership)
{
group.AllowMembersEditMembership = siteGroup.AllowMembersEditMembership;
groupNeedsUpdate = true;
}
if (group.AllowRequestToJoinLeave != siteGroup.AllowRequestToJoinLeave)
{
group.AllowRequestToJoinLeave = siteGroup.AllowRequestToJoinLeave;
groupNeedsUpdate = true;
}
if (group.AutoAcceptRequestToJoinLeave != siteGroup.AutoAcceptRequestToJoinLeave)
{
group.AutoAcceptRequestToJoinLeave = siteGroup.AutoAcceptRequestToJoinLeave;
groupNeedsUpdate = true;
}
if (group.OnlyAllowMembersViewMembership != siteGroup.OnlyAllowMembersViewMembership)
{
group.OnlyAllowMembersViewMembership = siteGroup.OnlyAllowMembersViewMembership;
groupNeedsUpdate = true;
}
if (!String.IsNullOrEmpty(group.RequestToJoinLeaveEmailSetting) && group.RequestToJoinLeaveEmailSetting != siteGroup.RequestToJoinLeaveEmailSetting)
{
group.RequestToJoinLeaveEmailSetting = siteGroup.RequestToJoinLeaveEmailSetting;
groupNeedsUpdate = true;
}
if (group.Owner.LoginName != parsedGroupOwner)
{
if (parsedGroupTitle != parsedGroupOwner)
{
Principal ownerPrincipal = allGroups.FirstOrDefault(gr => gr.LoginName.Equals(parsedGroupOwner, StringComparison.OrdinalIgnoreCase));
if (ownerPrincipal == null)
{
ownerPrincipal = web.EnsureUser(parsedGroupOwner);
}
group.Owner = ownerPrincipal;
}
else
{
group.Owner = group;
}
groupNeedsUpdate = true;
}
if (groupNeedsUpdate)
{
scope.LogDebug("Updating existing group {0}", group.Title);
group.Update();
executeQuery = true;
}
if (executeQuery)
{
web.Context.ExecuteQueryRetry();
}
}
if (group != null && siteGroup.Members.Any())
{
AddUserToGroup(web, group, siteGroup.Members, scope, parser);
}
}
foreach (var admin in siteSecurity.AdditionalAdministrators)
{
var parsedAdminName = parser.ParseString(admin.Name);
try
{
var user = web.EnsureUser(parsedAdminName);
user.IsSiteAdmin = true;
user.Update();
web.Context.ExecuteQueryRetry();
}
catch (Exception ex)
{
scope.LogWarning(ex, "Failed to add AdditionalAdministrator {0}", parsedAdminName);
}
}
// With the change from october, manage permission levels on subsites as well
if (siteSecurity.SiteSecurityPermissions != null)
{
var existingRoleDefinitions = web.Context.LoadQuery(web.RoleDefinitions.Include(wr => wr.Name, wr => wr.BasePermissions, wr => wr.Description));
web.Context.ExecuteQueryRetry();
if (siteSecurity.SiteSecurityPermissions.RoleDefinitions.Any())
{
foreach (var templateRoleDefinition in siteSecurity.SiteSecurityPermissions.RoleDefinitions)
{
var roleDefinitions = existingRoleDefinitions as RoleDefinition[] ?? existingRoleDefinitions.ToArray();
var parsedRoleDefinitionName = parser.ParseString(templateRoleDefinition.Name);
var parsedTemplateRoleDefinitionDesc = parser.ParseString(templateRoleDefinition.Description);
var siteRoleDefinition = roleDefinitions.FirstOrDefault(erd => erd.Name == parsedRoleDefinitionName);
if (siteRoleDefinition == null)
{
scope.LogDebug("Creating role definition {0}", parsedRoleDefinitionName);
var roleDefinitionCI = new RoleDefinitionCreationInformation();
roleDefinitionCI.Name = parsedRoleDefinitionName;
roleDefinitionCI.Description = parsedTemplateRoleDefinitionDesc;
BasePermissions basePermissions = new BasePermissions();
foreach (var permission in templateRoleDefinition.Permissions)
{
basePermissions.Set(permission);
}
roleDefinitionCI.BasePermissions = basePermissions;
var newRoleDefinition = web.RoleDefinitions.Add(roleDefinitionCI);
web.Context.Load(newRoleDefinition, nrd => nrd.Name, nrd => nrd.Id);
web.Context.ExecuteQueryRetry();
parser.AddToken(new RoleDefinitionIdToken(web, newRoleDefinition.Name, newRoleDefinition.Id));
}
else
{
var isDirty = false;
if (siteRoleDefinition.Description != parsedTemplateRoleDefinitionDesc)
{
siteRoleDefinition.Description = parsedTemplateRoleDefinitionDesc;
isDirty = true;
}
var templateBasePermissions = new BasePermissions();
templateRoleDefinition.Permissions.ForEach(p => templateBasePermissions.Set(p));
if (siteRoleDefinition.BasePermissions != templateBasePermissions)
{
isDirty = true;
foreach (var permission in templateRoleDefinition.Permissions)
{
siteRoleDefinition.BasePermissions.Set(permission);
}
}
if (isDirty)
{
scope.LogDebug("Updating role definition {0}", parsedRoleDefinitionName);
siteRoleDefinition.Update();
web.Context.ExecuteQueryRetry();
}
}
}
}
var webRoleDefinitions = web.Context.LoadQuery(web.RoleDefinitions);
var webRoleAssignments = web.Context.LoadQuery(web.RoleAssignments);
var groups = web.Context.LoadQuery(web.SiteGroups.Include(g => g.LoginName));
web.Context.ExecuteQueryRetry();
if (siteSecurity.SiteSecurityPermissions.RoleAssignments.Any())
{
foreach (var roleAssignment in siteSecurity.SiteSecurityPermissions.RoleAssignments)
{
var parsedRoleDefinition = parser.ParseString(roleAssignment.RoleDefinition);
if (!roleAssignment.Remove)
{
var roleDefinition = webRoleDefinitions.FirstOrDefault(r => r.Name == parsedRoleDefinition);
if (roleDefinition != null)
{
Principal principal = GetPrincipal(web, parser, scope, groups, roleAssignment);
if (principal != null)
{
var roleDefinitionBindingCollection = new RoleDefinitionBindingCollection(web.Context);
roleDefinitionBindingCollection.Add(roleDefinition);
web.RoleAssignments.Add(principal, roleDefinitionBindingCollection);
web.Context.ExecuteQueryRetry();
}
}
else
{
scope.LogWarning("Role assignment {0} not found in web", roleAssignment.RoleDefinition);
}
}
else
{
var principal = GetPrincipal(web, parser, scope, groups, roleAssignment);
var assignmentsForPrincipal = webRoleAssignments.Where(t => t.PrincipalId == principal.Id);
foreach (var assignmentForPrincipal in assignmentsForPrincipal)
{
var binding = assignmentForPrincipal.EnsureProperty(r => r.RoleDefinitionBindings).FirstOrDefault(b => b.Name == parsedRoleDefinition);
if (binding != null)
{
assignmentForPrincipal.DeleteObject();
web.Context.ExecuteQueryRetry();
break;
}
}
}
}
}
}
}
return(parser);
}
public override TokenParser ProvisionObjects(Web web, ProvisioningTemplate template, TokenParser parser, ProvisioningTemplateApplyingInformation applyingInformation)
{
using (var scope = new PnPMonitoredScope(this.Name))
{
// if this is a sub site then we're not provisioning security as by default security is inherited from the root site
if (web.IsSubSite())
{
scope.LogDebug(CoreResources.Provisioning_ObjectHandlers_SiteSecurity_Context_web_is_subweb__skipping_site_security_provisioning);
return parser;
}
var siteSecurity = template.Security;
var ownerGroup = web.AssociatedOwnerGroup;
var memberGroup = web.AssociatedMemberGroup;
var visitorGroup = web.AssociatedVisitorGroup;
web.Context.Load(ownerGroup, o => o.Title, o => o.Users);
web.Context.Load(memberGroup, o => o.Title, o => o.Users);
web.Context.Load(visitorGroup, o => o.Title, o => o.Users);
web.Context.ExecuteQueryRetry();
if (!ownerGroup.ServerObjectIsNull.Value)
{
AddUserToGroup(web, ownerGroup, siteSecurity.AdditionalOwners, scope);
}
if (!memberGroup.ServerObjectIsNull.Value)
{
AddUserToGroup(web, memberGroup, siteSecurity.AdditionalMembers, scope);
}
if (!visitorGroup.ServerObjectIsNull.Value)
{
AddUserToGroup(web, visitorGroup, siteSecurity.AdditionalVisitors, scope);
}
foreach (var siteGroup in siteSecurity.SiteGroups)
{
Group group = null;
var allGroups = web.Context.LoadQuery(web.SiteGroups.Include(gr => gr.LoginName));
web.Context.ExecuteQueryRetry();
if (!web.GroupExists(siteGroup.Title))
{
scope.LogDebug("Creating group {0}", siteGroup.Title);
group = web.AddGroup(
parser.ParseString(siteGroup.Title),
parser.ParseString(siteGroup.Description),
parser.ParseString(siteGroup.Title) == parser.ParseString(siteGroup.Owner));
group.AllowMembersEditMembership = siteGroup.AllowMembersEditMembership;
group.AllowRequestToJoinLeave = siteGroup.AllowRequestToJoinLeave;
group.AutoAcceptRequestToJoinLeave = siteGroup.AutoAcceptRequestToJoinLeave;
if (parser.ParseString(siteGroup.Title) != parser.ParseString(siteGroup.Owner))
{
Principal ownerPrincipal = allGroups.FirstOrDefault(gr => gr.LoginName == parser.ParseString(siteGroup.Owner));
if (ownerPrincipal == null)
{
ownerPrincipal = web.EnsureUser(parser.ParseString(siteGroup.Owner));
}
group.Owner = ownerPrincipal;
}
group.Update();
web.Context.ExecuteQueryRetry();
}
else
{
group = web.SiteGroups.GetByName(parser.ParseString(siteGroup.Title));
web.Context.Load(group,
g => g.Title,
g => g.Description,
g => g.AllowMembersEditMembership,
g => g.AllowRequestToJoinLeave,
g => g.AutoAcceptRequestToJoinLeave,
g => g.Owner.LoginName);
web.Context.ExecuteQueryRetry();
var isDirty = false;
if (group.Description != parser.ParseString(siteGroup.Description))
{
group.Description = parser.ParseString(siteGroup.Description);
isDirty = true;
}
if (group.AllowMembersEditMembership != siteGroup.AllowMembersEditMembership)
{
group.AllowMembersEditMembership = siteGroup.AllowMembersEditMembership;
isDirty = true;
}
if (group.AllowRequestToJoinLeave != siteGroup.AllowRequestToJoinLeave)
{
group.AllowRequestToJoinLeave = siteGroup.AllowRequestToJoinLeave;
isDirty = true;
}
if (group.AutoAcceptRequestToJoinLeave != siteGroup.AutoAcceptRequestToJoinLeave)
{
group.AutoAcceptRequestToJoinLeave = siteGroup.AutoAcceptRequestToJoinLeave;
isDirty = true;
}
if (group.Owner.LoginName != parser.ParseString(siteGroup.Owner))
{
if (parser.ParseString(siteGroup.Title) != parser.ParseString(siteGroup.Owner))
{
Principal ownerPrincipal = allGroups.FirstOrDefault(gr => gr.LoginName == parser.ParseString(siteGroup.Owner));
if (ownerPrincipal == null)
{
ownerPrincipal = web.EnsureUser(parser.ParseString(siteGroup.Owner));
}
group.Owner = ownerPrincipal;
}
else
{
group.Owner = group;
}
isDirty = true;
}
if (isDirty)
{
scope.LogDebug("Updating existing group {0}", group.Title);
group.Update();
web.Context.ExecuteQueryRetry();
}
}
if (group != null && siteGroup.Members.Any())
{
AddUserToGroup(web, group, siteGroup.Members, scope);
}
}
foreach (var admin in siteSecurity.AdditionalAdministrators)
{
var user = web.EnsureUser(admin.Name);
user.IsSiteAdmin = true;
user.Update();
web.Context.ExecuteQueryRetry();
}
if (siteSecurity.SiteSecurityPermissions != null)
{
var existingRoleDefinitions = web.Context.LoadQuery(web.RoleDefinitions.Include(wr => wr.Name, wr => wr.BasePermissions, wr => wr.Description));
web.Context.ExecuteQueryRetry();
if (siteSecurity.SiteSecurityPermissions.RoleDefinitions.Any())
{
foreach (var templateRoleDefinition in siteSecurity.SiteSecurityPermissions.RoleDefinitions)
{
var siteRoleDefinition = existingRoleDefinitions.FirstOrDefault(erd => erd.Name == parser.ParseString(templateRoleDefinition.Name));
if (siteRoleDefinition == null)
{
scope.LogDebug("Creation role definition {0}", parser.ParseString(templateRoleDefinition.Name));
var roleDefinitionCI = new RoleDefinitionCreationInformation();
roleDefinitionCI.Name = parser.ParseString(templateRoleDefinition.Name);
roleDefinitionCI.Description = parser.ParseString(templateRoleDefinition.Description);
BasePermissions basePermissions = new BasePermissions();
foreach (var permission in templateRoleDefinition.Permissions)
{
basePermissions.Set(permission);
}
roleDefinitionCI.BasePermissions = basePermissions;
web.RoleDefinitions.Add(roleDefinitionCI);
web.Context.ExecuteQueryRetry();
}
else
{
var isDirty = false;
if (siteRoleDefinition.Description != parser.ParseString(templateRoleDefinition.Description))
{
siteRoleDefinition.Description = parser.ParseString(templateRoleDefinition.Description);
isDirty = true;
}
var templateBasePermissions = new BasePermissions();
templateRoleDefinition.Permissions.ForEach(p => templateBasePermissions.Set(p));
if (siteRoleDefinition.BasePermissions != templateBasePermissions)
{
isDirty = true;
foreach (var permission in templateRoleDefinition.Permissions)
{
siteRoleDefinition.BasePermissions.Set(permission);
}
}
if (isDirty)
{
scope.LogDebug("Updating role definition {0}", parser.ParseString(templateRoleDefinition.Name));
siteRoleDefinition.Update();
web.Context.ExecuteQueryRetry();
}
}
}
}
var webRoleDefinitions = web.Context.LoadQuery(web.RoleDefinitions);
var groups = web.Context.LoadQuery(web.SiteGroups.Include(g => g.LoginName));
web.Context.ExecuteQueryRetry();
if (siteSecurity.SiteSecurityPermissions.RoleAssignments.Any())
{
foreach (var roleAssignment in siteSecurity.SiteSecurityPermissions.RoleAssignments)
{
Principal principal = groups.FirstOrDefault(g => g.LoginName == parser.ParseString(roleAssignment.Principal));
if (principal == null)
{
principal = web.EnsureUser(parser.ParseString(roleAssignment.Principal));
}
var roleDefinitionBindingCollection = new RoleDefinitionBindingCollection(web.Context);
var roleDefinition = webRoleDefinitions.FirstOrDefault(r => r.Name == roleAssignment.RoleDefinition);
if (roleDefinition != null)
{
roleDefinitionBindingCollection.Add(roleDefinition);
}
web.RoleAssignments.Add(principal, roleDefinitionBindingCollection);
web.Context.ExecuteQueryRetry();
}
}
}
}
return parser;
}
public static RoleDefinition CreateRoleDefinition(this RoleDefinitionCollection roleDefinitions, RoleDefinitionCreationInformation roleDefCreateInfo)
{
RoleDefinition roleDefinition = roleDefinitions.Add(roleDefCreateInfo);
roleDefinitions.Context.Load(roleDefinition);
roleDefinitions.Context.ExecuteQuery();
return(roleDefinition);
}
public override TokenParser ProvisionObjects(Web web, ProvisioningTemplate template, TokenParser parser, ProvisioningTemplateApplyingInformation applyingInformation)
{
using (var scope = new PnPMonitoredScope(this.Name))
{
// if this is a sub site then we're not provisioning security as by default security is inherited from the root site
if (web.IsSubSite())
{
scope.LogDebug(CoreResources.Provisioning_ObjectHandlers_SiteSecurity_Context_web_is_subweb__skipping_site_security_provisioning);
return(parser);
}
var siteSecurity = template.Security;
var ownerGroup = web.AssociatedOwnerGroup;
var memberGroup = web.AssociatedMemberGroup;
var visitorGroup = web.AssociatedVisitorGroup;
web.Context.Load(ownerGroup, o => o.Title, o => o.Users);
web.Context.Load(memberGroup, o => o.Title, o => o.Users);
web.Context.Load(visitorGroup, o => o.Title, o => o.Users);
web.Context.ExecuteQueryRetry();
if (!ownerGroup.ServerObjectIsNull.Value)
{
AddUserToGroup(web, ownerGroup, siteSecurity.AdditionalOwners, scope);
}
if (!memberGroup.ServerObjectIsNull.Value)
{
AddUserToGroup(web, memberGroup, siteSecurity.AdditionalMembers, scope);
}
if (!visitorGroup.ServerObjectIsNull.Value)
{
AddUserToGroup(web, visitorGroup, siteSecurity.AdditionalVisitors, scope);
}
foreach (var siteGroup in siteSecurity.SiteGroups)
{
Group group = null;
var allGroups = web.Context.LoadQuery(web.SiteGroups.Include(gr => gr.LoginName));
web.Context.ExecuteQueryRetry();
if (!web.GroupExists(siteGroup.Title))
{
scope.LogDebug("Creating group {0}", siteGroup.Title);
group = web.AddGroup(
parser.ParseString(siteGroup.Title),
parser.ParseString(siteGroup.Description),
parser.ParseString(siteGroup.Title) == parser.ParseString(siteGroup.Owner));
group.AllowMembersEditMembership = siteGroup.AllowMembersEditMembership;
group.AllowRequestToJoinLeave = siteGroup.AllowRequestToJoinLeave;
group.AutoAcceptRequestToJoinLeave = siteGroup.AutoAcceptRequestToJoinLeave;
if (parser.ParseString(siteGroup.Title) != parser.ParseString(siteGroup.Owner))
{
Principal ownerPrincipal = allGroups.FirstOrDefault(gr => gr.LoginName == parser.ParseString(siteGroup.Owner));
if (ownerPrincipal == null)
{
ownerPrincipal = web.EnsureUser(parser.ParseString(siteGroup.Owner));
}
group.Owner = ownerPrincipal;
}
group.Update();
web.Context.ExecuteQueryRetry();
}
else
{
group = web.SiteGroups.GetByName(parser.ParseString(siteGroup.Title));
web.Context.Load(group,
g => g.Title,
g => g.Description,
g => g.AllowMembersEditMembership,
g => g.AllowRequestToJoinLeave,
g => g.AutoAcceptRequestToJoinLeave,
g => g.Owner.LoginName);
web.Context.ExecuteQueryRetry();
var isDirty = false;
if (group.Description != parser.ParseString(siteGroup.Description))
{
group.Description = parser.ParseString(siteGroup.Description);
isDirty = true;
}
if (group.AllowMembersEditMembership != siteGroup.AllowMembersEditMembership)
{
group.AllowMembersEditMembership = siteGroup.AllowMembersEditMembership;
isDirty = true;
}
if (group.AllowRequestToJoinLeave != siteGroup.AllowRequestToJoinLeave)
{
group.AllowRequestToJoinLeave = siteGroup.AllowRequestToJoinLeave;
isDirty = true;
}
if (group.AutoAcceptRequestToJoinLeave != siteGroup.AutoAcceptRequestToJoinLeave)
{
group.AutoAcceptRequestToJoinLeave = siteGroup.AutoAcceptRequestToJoinLeave;
isDirty = true;
}
if (group.Owner.LoginName != parser.ParseString(siteGroup.Owner))
{
if (parser.ParseString(siteGroup.Title) != parser.ParseString(siteGroup.Owner))
{
Principal ownerPrincipal = allGroups.FirstOrDefault(gr => gr.LoginName == parser.ParseString(siteGroup.Owner));
if (ownerPrincipal == null)
{
ownerPrincipal = web.EnsureUser(parser.ParseString(siteGroup.Owner));
}
group.Owner = ownerPrincipal;
}
else
{
group.Owner = group;
}
isDirty = true;
}
if (isDirty)
{
scope.LogDebug("Updating existing group {0}", group.Title);
group.Update();
web.Context.ExecuteQueryRetry();
}
}
if (group != null && siteGroup.Members.Any())
{
AddUserToGroup(web, group, siteGroup.Members, scope);
}
}
foreach (var admin in siteSecurity.AdditionalAdministrators)
{
var user = web.EnsureUser(admin.Name);
user.IsSiteAdmin = true;
user.Update();
web.Context.ExecuteQueryRetry();
}
if (siteSecurity.SiteSecurityPermissions != null)
{
var existingRoleDefinitions = web.Context.LoadQuery(web.RoleDefinitions.Include(wr => wr.Name, wr => wr.BasePermissions, wr => wr.Description));
web.Context.ExecuteQueryRetry();
if (siteSecurity.SiteSecurityPermissions.RoleDefinitions.Any())
{
foreach (var templateRoleDefinition in siteSecurity.SiteSecurityPermissions.RoleDefinitions)
{
var siteRoleDefinition = existingRoleDefinitions.FirstOrDefault(erd => erd.Name == parser.ParseString(templateRoleDefinition.Name));
if (siteRoleDefinition == null)
{
scope.LogDebug("Creation role definition {0}", parser.ParseString(templateRoleDefinition.Name));
var roleDefinitionCI = new RoleDefinitionCreationInformation();
roleDefinitionCI.Name = parser.ParseString(templateRoleDefinition.Name);
roleDefinitionCI.Description = parser.ParseString(templateRoleDefinition.Description);
BasePermissions basePermissions = new BasePermissions();
foreach (var permission in templateRoleDefinition.Permissions)
{
basePermissions.Set(permission);
}
roleDefinitionCI.BasePermissions = basePermissions;
web.RoleDefinitions.Add(roleDefinitionCI);
web.Context.ExecuteQueryRetry();
}
else
{
var isDirty = false;
if (siteRoleDefinition.Description != parser.ParseString(templateRoleDefinition.Description))
{
siteRoleDefinition.Description = parser.ParseString(templateRoleDefinition.Description);
isDirty = true;
}
var templateBasePermissions = new BasePermissions();
templateRoleDefinition.Permissions.ForEach(p => templateBasePermissions.Set(p));
if (siteRoleDefinition.BasePermissions != templateBasePermissions)
{
isDirty = true;
foreach (var permission in templateRoleDefinition.Permissions)
{
siteRoleDefinition.BasePermissions.Set(permission);
}
}
if (isDirty)
{
scope.LogDebug("Updating role definition {0}", parser.ParseString(templateRoleDefinition.Name));
siteRoleDefinition.Update();
web.Context.ExecuteQueryRetry();
}
}
}
}
var webRoleDefinitions = web.Context.LoadQuery(web.RoleDefinitions);
var groups = web.Context.LoadQuery(web.SiteGroups.Include(g => g.LoginName));
web.Context.ExecuteQueryRetry();
if (siteSecurity.SiteSecurityPermissions.RoleAssignments.Any())
{
foreach (var roleAssignment in siteSecurity.SiteSecurityPermissions.RoleAssignments)
{
Principal principal = groups.FirstOrDefault(g => g.LoginName == parser.ParseString(roleAssignment.Principal));
if (principal == null)
{
principal = web.EnsureUser(parser.ParseString(roleAssignment.Principal));
}
var roleDefinitionBindingCollection = new RoleDefinitionBindingCollection(web.Context);
var roleDefinition = webRoleDefinitions.FirstOrDefault(r => r.Name == roleAssignment.RoleDefinition);
if (roleDefinition != null)
{
roleDefinitionBindingCollection.Add(roleDefinition);
}
web.RoleAssignments.Add(principal, roleDefinitionBindingCollection);
web.Context.ExecuteQueryRetry();
}
}
}
}
return(parser);
}
public override TokenParser ProvisionObjects(Web web, ProvisioningTemplate template, TokenParser parser, ProvisioningTemplateApplyingInformation applyingInformation)
{
using (var scope = new PnPMonitoredScope(this.Name))
{
// Changed by Paolo Pialorsi to embrace the new sub-site attributes to break role inheritance and copy role assignments
// if this is a sub site then we're not provisioning security as by default security is inherited from the root site
//if (web.IsSubSite() && !template.Security.BreakRoleInheritance)
//{
// scope.LogDebug(CoreResources.Provisioning_ObjectHandlers_SiteSecurity_Context_web_is_subweb__skipping_site_security_provisioning);
// return parser;
//}
if (web.IsSubSite() && template.Security.BreakRoleInheritance)
{
web.BreakRoleInheritance(template.Security.CopyRoleAssignments, template.Security.ClearSubscopes);
web.Update();
web.Context.ExecuteQueryRetry();
}
var siteSecurity = template.Security;
var ownerGroup = web.AssociatedOwnerGroup;
var memberGroup = web.AssociatedMemberGroup;
var visitorGroup = web.AssociatedVisitorGroup;
web.Context.Load(ownerGroup, o => o.Title, o => o.Users);
web.Context.Load(memberGroup, o => o.Title, o => o.Users);
web.Context.Load(visitorGroup, o => o.Title, o => o.Users);
web.Context.Load(web.SiteUsers);
web.Context.ExecuteQueryRetry();
if (!ownerGroup.ServerObjectIsNull())
{
AddUserToGroup(web, ownerGroup, siteSecurity.AdditionalOwners, scope, parser);
}
if (!memberGroup.ServerObjectIsNull())
{
AddUserToGroup(web, memberGroup, siteSecurity.AdditionalMembers, scope, parser);
}
if (!visitorGroup.ServerObjectIsNull())
{
AddUserToGroup(web, visitorGroup, siteSecurity.AdditionalVisitors, scope, parser);
}
//sorting groups with respect to possible dependency through Owner property. Groups that are owners of other groups must be processed prior owned groups.
for (int i = siteSecurity.SiteGroups.Count - 1; i >= 0; i--)
{
var currentGroup = siteSecurity.SiteGroups[i];
string currentGroupOwner = parser.ParseString(currentGroup.Owner);
string currentGroupTitle = parser.ParseString(currentGroup.Title);
if (currentGroupOwner != "SHAREPOINT\\system" && currentGroupOwner != currentGroupTitle && !(currentGroupOwner.StartsWith("{{associated") && currentGroupOwner.EndsWith("group}}")))
{
for (int j = 0; j < i; j++)
{
if (parser.ParseString(siteSecurity.SiteGroups[j].Owner) == currentGroupTitle)
{
siteSecurity.SiteGroups.RemoveAt(i);
siteSecurity.SiteGroups.Insert(j, currentGroup);
i++;
break;
}
}
}
}
foreach (var siteGroup in siteSecurity.SiteGroups)
{
Group group;
var allGroups = web.Context.LoadQuery(web.SiteGroups.Include(gr => gr.LoginName));
web.Context.ExecuteQueryRetry();
string parsedGroupTitle = parser.ParseString(siteGroup.Title);
string parsedGroupOwner = parser.ParseString(siteGroup.Owner);
string parsedGroupDescription = parser.ParseString(siteGroup.Description);
bool descriptionHasHtml = HttpUtility.HtmlEncode(parsedGroupDescription) != parsedGroupDescription;
if (!web.GroupExists(parsedGroupTitle))
{
scope.LogDebug("Creating group {0}", parsedGroupTitle);
group = web.AddGroup(
parsedGroupTitle,
parsedGroupDescription,
parsedGroupTitle == parsedGroupOwner);
group.AllowMembersEditMembership = siteGroup.AllowMembersEditMembership;
group.AllowRequestToJoinLeave = siteGroup.AllowRequestToJoinLeave;
group.AutoAcceptRequestToJoinLeave = siteGroup.AutoAcceptRequestToJoinLeave;
if (parsedGroupTitle != parsedGroupOwner)
{
Principal ownerPrincipal = allGroups.FirstOrDefault(gr => gr.LoginName == parsedGroupOwner);
if (ownerPrincipal == null)
{
ownerPrincipal = web.EnsureUser(parsedGroupOwner);
}
group.Owner = ownerPrincipal;
}
group.Update();
web.Context.Load(group, g => g.Id, g => g.Title);
web.Context.ExecuteQueryRetry();
parser.AddToken(new GroupIdToken(web, group.Title, group.Id));
if (descriptionHasHtml)
{
var groupItem = web.SiteUserInfoList.GetItemById(group.Id);
groupItem["Notes"] = parsedGroupDescription;
groupItem.Update();
web.Context.ExecuteQueryRetry();
}
}
else
{
group = web.SiteGroups.GetByName(parsedGroupTitle);
web.Context.Load(group,
g => g.Id,
g => g.Title,
g => g.Description,
g => g.AllowMembersEditMembership,
g => g.AllowRequestToJoinLeave,
g => g.AutoAcceptRequestToJoinLeave,
g => g.Owner.LoginName);
web.Context.ExecuteQueryRetry();
var isDirty = false;
if (descriptionHasHtml)
{
var groupItem = web.SiteUserInfoList.GetItemById(group.Id);
web.Context.Load(groupItem, g => g["Notes"]);
web.Context.ExecuteQueryRetry();
var description = groupItem["Notes"]?.ToString();
if (description != parsedGroupDescription)
{
groupItem["Notes"] = parsedGroupDescription;
groupItem.Update();
isDirty = true;
}
}
else
{
if (!String.IsNullOrEmpty(group.Description) && group.Description != parsedGroupDescription)
{
group.Description = parsedGroupDescription;
isDirty = true;
}
}
if (group.AllowMembersEditMembership != siteGroup.AllowMembersEditMembership)
{
group.AllowMembersEditMembership = siteGroup.AllowMembersEditMembership;
isDirty = true;
}
if (group.AllowRequestToJoinLeave != siteGroup.AllowRequestToJoinLeave)
{
group.AllowRequestToJoinLeave = siteGroup.AllowRequestToJoinLeave;
isDirty = true;
}
if (group.AutoAcceptRequestToJoinLeave != siteGroup.AutoAcceptRequestToJoinLeave)
{
group.AutoAcceptRequestToJoinLeave = siteGroup.AutoAcceptRequestToJoinLeave;
isDirty = true;
}
if (group.Owner.LoginName != parsedGroupOwner)
{
if (parsedGroupTitle != parsedGroupOwner)
{
Principal ownerPrincipal = allGroups.FirstOrDefault(gr => gr.LoginName == parsedGroupOwner);
if (ownerPrincipal == null)
{
ownerPrincipal = web.EnsureUser(parsedGroupOwner);
}
group.Owner = ownerPrincipal;
}
else
{
group.Owner = group;
}
isDirty = true;
}
if (isDirty)
{
scope.LogDebug("Updating existing group {0}", group.Title);
group.Update();
web.Context.ExecuteQueryRetry();
}
}
if (group != null && siteGroup.Members.Any())
{
AddUserToGroup(web, group, siteGroup.Members, scope, parser);
}
}
foreach (var admin in siteSecurity.AdditionalAdministrators)
{
var parsedAdminName = parser.ParseString(admin.Name);
try
{
var user = web.EnsureUser(parsedAdminName);
user.IsSiteAdmin = true;
user.Update();
web.Context.ExecuteQueryRetry();
}
catch (Exception ex)
{
scope.LogWarning(ex, "Failed to add AdditionalAdministrator {0}", parsedAdminName);
}
}
// With the change from october, manage permission levels on subsites as well
if (siteSecurity.SiteSecurityPermissions != null)
{
var existingRoleDefinitions = web.Context.LoadQuery(web.RoleDefinitions.Include(wr => wr.Name, wr => wr.BasePermissions, wr => wr.Description));
web.Context.ExecuteQueryRetry();
if (siteSecurity.SiteSecurityPermissions.RoleDefinitions.Any())
{
foreach (var templateRoleDefinition in siteSecurity.SiteSecurityPermissions.RoleDefinitions)
{
var roleDefinitions = existingRoleDefinitions as RoleDefinition[] ?? existingRoleDefinitions.ToArray();
var siteRoleDefinition = roleDefinitions.FirstOrDefault(erd => erd.Name == parser.ParseString(templateRoleDefinition.Name));
if (siteRoleDefinition == null)
{
scope.LogDebug("Creating role definition {0}", parser.ParseString(templateRoleDefinition.Name));
var roleDefinitionCI = new RoleDefinitionCreationInformation();
roleDefinitionCI.Name = parser.ParseString(templateRoleDefinition.Name);
roleDefinitionCI.Description = parser.ParseString(templateRoleDefinition.Description);
BasePermissions basePermissions = new BasePermissions();
foreach (var permission in templateRoleDefinition.Permissions)
{
basePermissions.Set(permission);
}
roleDefinitionCI.BasePermissions = basePermissions;
var newRoleDefinition = web.RoleDefinitions.Add(roleDefinitionCI);
web.Context.Load(newRoleDefinition, nrd => nrd.Name, nrd => nrd.Id);
web.Context.ExecuteQueryRetry();
parser.AddToken(new RoleDefinitionIdToken(web, newRoleDefinition.Name, newRoleDefinition.Id));
}
else
{
var isDirty = false;
if (siteRoleDefinition.Description != parser.ParseString(templateRoleDefinition.Description))
{
siteRoleDefinition.Description = parser.ParseString(templateRoleDefinition.Description);
isDirty = true;
}
var templateBasePermissions = new BasePermissions();
templateRoleDefinition.Permissions.ForEach(p => templateBasePermissions.Set(p));
if (siteRoleDefinition.BasePermissions != templateBasePermissions)
{
isDirty = true;
foreach (var permission in templateRoleDefinition.Permissions)
{
siteRoleDefinition.BasePermissions.Set(permission);
}
}
if (isDirty)
{
scope.LogDebug("Updating role definition {0}", parser.ParseString(templateRoleDefinition.Name));
siteRoleDefinition.Update();
web.Context.ExecuteQueryRetry();
}
}
}
}
var webRoleDefinitions = web.Context.LoadQuery(web.RoleDefinitions);
var webRoleAssignments = web.Context.LoadQuery(web.RoleAssignments);
var groups = web.Context.LoadQuery(web.SiteGroups.Include(g => g.LoginName));
web.Context.ExecuteQueryRetry();
if (siteSecurity.SiteSecurityPermissions.RoleAssignments.Any())
{
foreach (var roleAssignment in siteSecurity.SiteSecurityPermissions.RoleAssignments)
{
if (!roleAssignment.Remove)
{
var roleDefinition = webRoleDefinitions.FirstOrDefault(r => r.Name == parser.ParseString(roleAssignment.RoleDefinition));
if (roleDefinition != null)
{
Principal principal = GetPrincipal(web, parser, scope, groups, roleAssignment);
if (principal != null)
{
var roleDefinitionBindingCollection = new RoleDefinitionBindingCollection(web.Context);
roleDefinitionBindingCollection.Add(roleDefinition);
web.RoleAssignments.Add(principal, roleDefinitionBindingCollection);
web.Context.ExecuteQueryRetry();
}
}
else
{
scope.LogWarning("Role assignment {0} not found in web", roleAssignment.RoleDefinition);
}
}
else
{
var principal = GetPrincipal(web, parser, scope, groups, roleAssignment);
var assignmentsForPrincipal = webRoleAssignments.Where(t => t.PrincipalId == principal.Id);
foreach (var assignmentForPrincipal in assignmentsForPrincipal)
{
var binding = assignmentForPrincipal.EnsureProperty(r => r.RoleDefinitionBindings).FirstOrDefault(b => b.Name == roleAssignment.RoleDefinition);
if (binding != null)
{
assignmentForPrincipal.DeleteObject();
web.Context.ExecuteQueryRetry();
break;
}
}
}
}
}
}
}
return(parser);
}
public void Provision(ClientContext ctx, ProvisioningTemplate template, ProvisioningTemplateApplyingInformation applyingInformation, TokenParser tokenParser, PnPMonitoredScope scope, string configurationData)
{
Log.Info(
this.logSource,
"ProcessRequest. Template: {0}. Config: {1}",
template.Id,
configurationData);
Web web;
TokenParser parser = tokenParser;
var usingRootWeb = false;
if (ctx.Web.IsSubSite())
{
// This extension only works on sub webs with unique permissions!
ctx.Web.Context.Load(ctx.Web, o => o.HasUniqueRoleAssignments);
ctx.Web.Context.ExecuteQueryRetry();
if (!ctx.Web.HasUniqueRoleAssignments)
{
scope.LogDebug("Sub web does not have unique permissions, skipping Security provisioning on it!");
return;
}
else
{
web = ctx.GetSiteCollectionContext().Site.RootWeb;
usingRootWeb = true;
}
}
else
{
// Business as usual
web = ctx.Web;
}
var siteSecurity = template.Security;
var ownerGroup = web.AssociatedOwnerGroup;
var memberGroup = web.AssociatedMemberGroup;
var visitorGroup = web.AssociatedVisitorGroup;
web.Context.Load(ownerGroup, o => o.Title, o => o.Users);
web.Context.Load(memberGroup, o => o.Title, o => o.Users);
web.Context.Load(visitorGroup, o => o.Title, o => o.Users);
web.Context.ExecuteQueryRetry();
if (!ownerGroup.ServerObjectIsNull.Value)
{
AddUserToGroup(web, ownerGroup, siteSecurity.AdditionalOwners, scope);
}
if (!memberGroup.ServerObjectIsNull.Value)
{
AddUserToGroup(web, memberGroup, siteSecurity.AdditionalMembers, scope);
}
if (!visitorGroup.ServerObjectIsNull.Value)
{
AddUserToGroup(web, visitorGroup, siteSecurity.AdditionalVisitors, scope);
}
foreach (var siteGroup in siteSecurity.SiteGroups)
{
Group group = null;
var allGroups = web.Context.LoadQuery(web.SiteGroups.Include(gr => gr.LoginName));
web.Context.ExecuteQueryRetry();
string parsedGroupTitle = parser.ParseString(siteGroup.Title);
string parsedGroupOwner = parser.ParseString(siteGroup.Owner);
string parsedGroupDescription = parser.ParseString(siteGroup.Description);
if (!web.GroupExists(parsedGroupTitle))
{
scope.LogDebug("Creating group {0}", parsedGroupTitle);
group = web.AddGroup(
parsedGroupTitle,
parsedGroupDescription,
parsedGroupTitle == parsedGroupOwner);
group.AllowMembersEditMembership = siteGroup.AllowMembersEditMembership;
group.AllowRequestToJoinLeave = siteGroup.AllowRequestToJoinLeave;
group.AutoAcceptRequestToJoinLeave = siteGroup.AutoAcceptRequestToJoinLeave;
if (parsedGroupTitle != parsedGroupOwner)
{
Principal ownerPrincipal = allGroups.FirstOrDefault(gr => gr.LoginName == parsedGroupOwner);
if (ownerPrincipal == null)
{
ownerPrincipal = web.EnsureUser(parsedGroupOwner);
}
group.Owner = ownerPrincipal;
}
group.Update();
web.Context.ExecuteQueryRetry();
}
else
{
group = web.SiteGroups.GetByName(parsedGroupTitle);
web.Context.Load(group,
g => g.Title,
g => g.Description,
g => g.AllowMembersEditMembership,
g => g.AllowRequestToJoinLeave,
g => g.AutoAcceptRequestToJoinLeave,
g => g.Owner.LoginName);
web.Context.ExecuteQueryRetry();
var isDirty = false;
if (!String.IsNullOrEmpty(group.Description) && group.Description != parsedGroupDescription)
{
group.Description = parsedGroupDescription;
isDirty = true;
}
if (group.AllowMembersEditMembership != siteGroup.AllowMembersEditMembership)
{
group.AllowMembersEditMembership = siteGroup.AllowMembersEditMembership;
isDirty = true;
}
if (group.AllowRequestToJoinLeave != siteGroup.AllowRequestToJoinLeave)
{
group.AllowRequestToJoinLeave = siteGroup.AllowRequestToJoinLeave;
isDirty = true;
}
if (group.AutoAcceptRequestToJoinLeave != siteGroup.AutoAcceptRequestToJoinLeave)
{
group.AutoAcceptRequestToJoinLeave = siteGroup.AutoAcceptRequestToJoinLeave;
isDirty = true;
}
if (group.Owner.LoginName != parsedGroupOwner)
{
if (parsedGroupTitle != parsedGroupOwner)
{
Principal ownerPrincipal = allGroups.FirstOrDefault(gr => gr.LoginName == parsedGroupOwner);
if (ownerPrincipal == null)
{
ownerPrincipal = web.EnsureUser(parsedGroupOwner);
}
group.Owner = ownerPrincipal;
}
else
{
group.Owner = group;
}
isDirty = true;
}
if (isDirty)
{
scope.LogDebug("Updating existing group {0}", group.Title);
group.Update();
web.Context.ExecuteQueryRetry();
}
}
if (group != null && siteGroup.Members.Any())
{
AddUserToGroup(web, group, siteGroup.Members, scope);
}
}
foreach (var admin in siteSecurity.AdditionalAdministrators)
{
var user = web.EnsureUser(admin.Name);
user.IsSiteAdmin = true;
user.Update();
web.Context.ExecuteQueryRetry();
}
if (siteSecurity.SiteSecurityPermissions != null)
{
var existingRoleDefinitions = web.Context.LoadQuery(web.RoleDefinitions.Include(wr => wr.Name, wr => wr.BasePermissions, wr => wr.Description));
web.Context.ExecuteQueryRetry();
if (siteSecurity.SiteSecurityPermissions.RoleDefinitions.Any())
{
foreach (var templateRoleDefinition in siteSecurity.SiteSecurityPermissions.RoleDefinitions)
{
var siteRoleDefinition = existingRoleDefinitions.FirstOrDefault(erd => erd.Name == parser.ParseString(templateRoleDefinition.Name));
if (siteRoleDefinition == null)
{
scope.LogDebug("Creation role definition {0}", parser.ParseString(templateRoleDefinition.Name));
var roleDefinitionCI = new RoleDefinitionCreationInformation();
roleDefinitionCI.Name = parser.ParseString(templateRoleDefinition.Name);
roleDefinitionCI.Description = parser.ParseString(templateRoleDefinition.Description);
BasePermissions basePermissions = new BasePermissions();
foreach (var permission in templateRoleDefinition.Permissions)
{
basePermissions.Set(permission);
}
roleDefinitionCI.BasePermissions = basePermissions;
web.RoleDefinitions.Add(roleDefinitionCI);
web.Context.ExecuteQueryRetry();
}
else
{
var isDirty = false;
if (siteRoleDefinition.Description != parser.ParseString(templateRoleDefinition.Description))
{
siteRoleDefinition.Description = parser.ParseString(templateRoleDefinition.Description);
isDirty = true;
}
var templateBasePermissions = new BasePermissions();
templateRoleDefinition.Permissions.ForEach(p => templateBasePermissions.Set(p));
if (siteRoleDefinition.BasePermissions != templateBasePermissions)
{
isDirty = true;
foreach (var permission in templateRoleDefinition.Permissions)
{
siteRoleDefinition.BasePermissions.Set(permission);
}
}
if (isDirty)
{
scope.LogDebug("Updating role definition {0}", parser.ParseString(templateRoleDefinition.Name));
siteRoleDefinition.Update();
web.Context.ExecuteQueryRetry();
}
}
}
}
if (usingRootWeb)
{
web = ctx.Web;
}
var webRoleDefinitions = web.Context.LoadQuery(web.RoleDefinitions);
var groups = web.Context.LoadQuery(web.SiteGroups.Include(g => g.LoginName));
web.Context.ExecuteQueryRetry();
if (siteSecurity.SiteSecurityPermissions.RoleAssignments.Any())
{
foreach (var roleAssignment in siteSecurity.SiteSecurityPermissions.RoleAssignments)
{
Principal principal = groups.FirstOrDefault(g => g.LoginName == parser.ParseString(roleAssignment.Principal));
if (principal == null)
{
principal = web.EnsureUser(parser.ParseString(roleAssignment.Principal));
}
var roleDefinitionBindingCollection = new RoleDefinitionBindingCollection(web.Context);
var roleDefinition = webRoleDefinitions.FirstOrDefault(r => r.Name == parser.ParseString(roleAssignment.RoleDefinition));
if (roleDefinition != null)
{
roleDefinitionBindingCollection.Add(roleDefinition);
}
web.RoleAssignments.Add(principal, roleDefinitionBindingCollection);
web.Context.ExecuteQueryRetry();
}
}
}
}
/// <summary>
/// Creates a new permission level in specified web context
/// </summary>
/// <param name="context">Client Context</param>
/// <param name="permissionLevelName">Name of permission level to be created</param>
/// <param name="description">Description of permission level to be created</param>
/// <returns>Boolean value whether permission level created or not</returns>
private static bool CreateNewPermissionLevel(ClientContext context, string permissionLevelName, string description)
{
bool isPermissionLevelCreated = false;
try
{
RemovePermissionLevelIfExists(context, permissionLevelName);
BasePermissions permissions = new BasePermissions();
// List Permissions
permissions.Set(PermissionKind.AddListItems);
permissions.Set(PermissionKind.EditListItems);
permissions.Set(PermissionKind.DeleteListItems);
permissions.Set(PermissionKind.ViewListItems);
permissions.Set(PermissionKind.OpenItems);
permissions.Set(PermissionKind.ViewVersions);
permissions.Set(PermissionKind.DeleteVersions);
permissions.Set(PermissionKind.CreateAlerts);
// Site Permissions
permissions.Set(PermissionKind.BrowseDirectories);
permissions.Set(PermissionKind.CreateSSCSite);
permissions.Set(PermissionKind.BrowseDirectories);
permissions.Set(PermissionKind.ViewPages);
permissions.Set(PermissionKind.BrowseUserInfo);
permissions.Set(PermissionKind.UseRemoteAPIs);
permissions.Set(PermissionKind.UseClientIntegration);
permissions.Set(PermissionKind.Open);
permissions.Set(PermissionKind.EditMyUserInfo);
// Personal Permissions
permissions.Set(PermissionKind.ManagePersonalViews);
permissions.Set(PermissionKind.AddDelPrivateWebParts);
permissions.Set(PermissionKind.UpdatePersonalWebParts);
// Extra Permissions
permissions.Set(PermissionKind.ManagePermissions);
permissions.Set(PermissionKind.EnumeratePermissions);
RoleDefinitionCreationInformation roleDefinitionCreationInfo = new RoleDefinitionCreationInformation();
roleDefinitionCreationInfo.BasePermissions = permissions;
roleDefinitionCreationInfo.Name = permissionLevelName;
roleDefinitionCreationInfo.Description = description;
context.Web.RoleDefinitions.Add(roleDefinitionCreationInfo);
context.Web.Update();
context.ExecuteQuery();
isPermissionLevelCreated = true;
Console.WriteLine();
ErrorMessage.ShowMessage(string.Format(CultureInfo.InvariantCulture, ConfigurationManager.AppSettings["NewPermission"], permissionLevelName), ErrorMessage.MessageType.Success);
}
catch (Exception exception)
{
isPermissionLevelCreated = false;
ErrorLogger.LogErrorToTextFile(errorFilePath, "Message: " + exception.Message + "\nStacktrace: " + exception.StackTrace);
RemovePermissionLevelIfExists(context, permissionLevelName);
}
return isPermissionLevelCreated;
}
/// <summary>
/// Creates a new permission level in specified web context
/// </summary>
/// <param name="context">Client Context</param>
/// <param name="permissionLevelName">Name of permission level to be created</param>
/// <param name="description">Description of permission level to be created</param>
/// <returns>Boolean value indicating success of permission level creation</returns>
private static bool CreateNewPermissionLevel(ClientContext context, string permissionLevelName, string description)
{
string errorFilePath = Directory.GetParent(Directory.GetCurrentDirectory()) + "/" + "ErrorLog.txt";
bool isPermissionLevelCreated = false;
try
{
RemovePermissionLevelIfExists(context, permissionLevelName);
BasePermissions permissions = new BasePermissions();
// List Permissions
permissions.Set(PermissionKind.AddListItems);
permissions.Set(PermissionKind.EditListItems);
permissions.Set(PermissionKind.DeleteListItems);
permissions.Set(PermissionKind.ViewListItems);
permissions.Set(PermissionKind.OpenItems);
permissions.Set(PermissionKind.ViewVersions);
permissions.Set(PermissionKind.DeleteVersions);
permissions.Set(PermissionKind.CreateAlerts);
// Site Permissions
permissions.Set(PermissionKind.BrowseDirectories);
permissions.Set(PermissionKind.CreateSSCSite);
permissions.Set(PermissionKind.BrowseDirectories);
permissions.Set(PermissionKind.ViewPages);
permissions.Set(PermissionKind.BrowseUserInfo);
permissions.Set(PermissionKind.UseRemoteAPIs);
permissions.Set(PermissionKind.UseClientIntegration);
permissions.Set(PermissionKind.Open);
permissions.Set(PermissionKind.EditMyUserInfo);
// Personal Permissions
permissions.Set(PermissionKind.ManagePersonalViews);
permissions.Set(PermissionKind.AddDelPrivateWebParts);
permissions.Set(PermissionKind.UpdatePersonalWebParts);
// Extra Permissions
permissions.Set(PermissionKind.ManagePermissions);
permissions.Set(PermissionKind.EnumeratePermissions);
RoleDefinitionCreationInformation roleDefinitionCreationInfo = new RoleDefinitionCreationInformation();
roleDefinitionCreationInfo.BasePermissions = permissions;
roleDefinitionCreationInfo.Name = permissionLevelName;
roleDefinitionCreationInfo.Description = description;
context.Web.RoleDefinitions.Add(roleDefinitionCreationInfo);
context.Web.Update();
context.ExecuteQuery();
isPermissionLevelCreated = true;
Console.WriteLine("New permission level created [{0}]", permissionLevelName);
}
catch (Exception exception)
{
isPermissionLevelCreated = false;
ErrorLogger.LogErrorToTextFile(errorFilePath, "Message: " + exception.Message + "\nStacktrace: " + exception.StackTrace);
RemovePermissionLevelIfExists(context, permissionLevelName);
}
return isPermissionLevelCreated;
}
public override TokenParser ProvisionObjects(Web web, ProvisioningTemplate template, TokenParser parser, ProvisioningTemplateApplyingInformation applyingInformation)
{
using (var scope = new PnPMonitoredScope(this.Name))
{
// Changed by Paolo Pialorsi to embrace the new sub-site attributes to break role inheritance and copy role assignments
// if this is a sub site then we're not provisioning security as by default security is inherited from the root site
//if (web.IsSubSite() && !template.Security.BreakRoleInheritance)
//{
// scope.LogDebug(CoreResources.Provisioning_ObjectHandlers_SiteSecurity_Context_web_is_subweb__skipping_site_security_provisioning);
// return parser;
//}
if (web.IsSubSite() && template.Security.BreakRoleInheritance)
{
web.BreakRoleInheritance(template.Security.CopyRoleAssignments, template.Security.ClearSubscopes);
web.Update();
web.Context.ExecuteQueryRetry();
}
var siteSecurity = template.Security;
var ownerGroup = web.AssociatedOwnerGroup;
var memberGroup = web.AssociatedMemberGroup;
var visitorGroup = web.AssociatedVisitorGroup;
web.Context.Load(ownerGroup, o => o.Title, o => o.Users);
web.Context.Load(memberGroup, o => o.Title, o => o.Users);
web.Context.Load(visitorGroup, o => o.Title, o => o.Users);
web.Context.ExecuteQueryRetry();
if (!ownerGroup.ServerObjectIsNull())
{
AddUserToGroup(web, ownerGroup, siteSecurity.AdditionalOwners, scope, parser);
}
if (!memberGroup.ServerObjectIsNull())
{
AddUserToGroup(web, memberGroup, siteSecurity.AdditionalMembers, scope, parser);
}
if (!visitorGroup.ServerObjectIsNull())
{
AddUserToGroup(web, visitorGroup, siteSecurity.AdditionalVisitors, scope, parser);
}
foreach (var siteGroup in siteSecurity.SiteGroups)
{
Group group;
var allGroups = web.Context.LoadQuery(web.SiteGroups.Include(gr => gr.LoginName));
web.Context.ExecuteQueryRetry();
string parsedGroupTitle = parser.ParseString(siteGroup.Title);
string parsedGroupOwner = parser.ParseString(siteGroup.Owner);
string parsedGroupDescription = parser.ParseString(siteGroup.Description);
if (!web.GroupExists(parsedGroupTitle))
{
scope.LogDebug("Creating group {0}", parsedGroupTitle);
group = web.AddGroup(
parsedGroupTitle,
parsedGroupDescription,
parsedGroupTitle == parsedGroupOwner);
group.AllowMembersEditMembership = siteGroup.AllowMembersEditMembership;
group.AllowRequestToJoinLeave = siteGroup.AllowRequestToJoinLeave;
group.AutoAcceptRequestToJoinLeave = siteGroup.AutoAcceptRequestToJoinLeave;
if (parsedGroupTitle != parsedGroupOwner)
{
Principal ownerPrincipal = allGroups.FirstOrDefault(gr => gr.LoginName == parsedGroupOwner);
if (ownerPrincipal == null)
{
ownerPrincipal = web.EnsureUser(parsedGroupOwner);
}
group.Owner = ownerPrincipal;
}
group.Update();
web.Context.Load(group, g => g.Id, g => g.Title);
web.Context.ExecuteQueryRetry();
parser.AddToken(new GroupIdToken(web, group.Title, group.Id));
}
else
{
group = web.SiteGroups.GetByName(parsedGroupTitle);
web.Context.Load(group,
g => g.Title,
g => g.Description,
g => g.AllowMembersEditMembership,
g => g.AllowRequestToJoinLeave,
g => g.AutoAcceptRequestToJoinLeave,
g => g.Owner.LoginName);
web.Context.ExecuteQueryRetry();
var isDirty = false;
if (!String.IsNullOrEmpty(group.Description) && group.Description != parsedGroupDescription)
{
group.Description = parsedGroupDescription;
isDirty = true;
}
if (group.AllowMembersEditMembership != siteGroup.AllowMembersEditMembership)
{
group.AllowMembersEditMembership = siteGroup.AllowMembersEditMembership;
isDirty = true;
}
if (group.AllowRequestToJoinLeave != siteGroup.AllowRequestToJoinLeave)
{
group.AllowRequestToJoinLeave = siteGroup.AllowRequestToJoinLeave;
isDirty = true;
}
if (group.AutoAcceptRequestToJoinLeave != siteGroup.AutoAcceptRequestToJoinLeave)
{
group.AutoAcceptRequestToJoinLeave = siteGroup.AutoAcceptRequestToJoinLeave;
isDirty = true;
}
if (group.Owner.LoginName != parsedGroupOwner)
{
if (parsedGroupTitle != parsedGroupOwner)
{
Principal ownerPrincipal = allGroups.FirstOrDefault(gr => gr.LoginName == parsedGroupOwner);
if (ownerPrincipal == null)
{
ownerPrincipal = web.EnsureUser(parsedGroupOwner);
}
group.Owner = ownerPrincipal;
}
else
{
group.Owner = group;
}
isDirty = true;
}
if (isDirty)
{
scope.LogDebug("Updating existing group {0}", group.Title);
group.Update();
web.Context.ExecuteQueryRetry();
}
}
if (group != null && siteGroup.Members.Any())
{
AddUserToGroup(web, group, siteGroup.Members, scope, parser);
}
}
foreach (var admin in siteSecurity.AdditionalAdministrators)
{
var parsedAdminName = parser.ParseString(admin.Name);
var user = web.EnsureUser(parsedAdminName);
user.IsSiteAdmin = true;
user.Update();
web.Context.ExecuteQueryRetry();
}
// With the change from october, manage permission levels on subsites as well
if (siteSecurity.SiteSecurityPermissions != null)
{
var existingRoleDefinitions = web.Context.LoadQuery(web.RoleDefinitions.Include(wr => wr.Name, wr => wr.BasePermissions, wr => wr.Description));
web.Context.ExecuteQueryRetry();
if (siteSecurity.SiteSecurityPermissions.RoleDefinitions.Any())
{
foreach (var templateRoleDefinition in siteSecurity.SiteSecurityPermissions.RoleDefinitions)
{
var roleDefinitions = existingRoleDefinitions as RoleDefinition[] ?? existingRoleDefinitions.ToArray();
var siteRoleDefinition = roleDefinitions.FirstOrDefault(erd => erd.Name == parser.ParseString(templateRoleDefinition.Name));
if (siteRoleDefinition == null)
{
scope.LogDebug("Creating role definition {0}", parser.ParseString(templateRoleDefinition.Name));
var roleDefinitionCI = new RoleDefinitionCreationInformation();
roleDefinitionCI.Name = parser.ParseString(templateRoleDefinition.Name);
roleDefinitionCI.Description = parser.ParseString(templateRoleDefinition.Description);
BasePermissions basePermissions = new BasePermissions();
foreach (var permission in templateRoleDefinition.Permissions)
{
basePermissions.Set(permission);
}
roleDefinitionCI.BasePermissions = basePermissions;
web.RoleDefinitions.Add(roleDefinitionCI);
web.Context.ExecuteQueryRetry();
}
else
{
var isDirty = false;
if (siteRoleDefinition.Description != parser.ParseString(templateRoleDefinition.Description))
{
siteRoleDefinition.Description = parser.ParseString(templateRoleDefinition.Description);
isDirty = true;
}
var templateBasePermissions = new BasePermissions();
templateRoleDefinition.Permissions.ForEach(p => templateBasePermissions.Set(p));
if (siteRoleDefinition.BasePermissions != templateBasePermissions)
{
isDirty = true;
foreach (var permission in templateRoleDefinition.Permissions)
{
siteRoleDefinition.BasePermissions.Set(permission);
}
}
if (isDirty)
{
scope.LogDebug("Updating role definition {0}", parser.ParseString(templateRoleDefinition.Name));
siteRoleDefinition.Update();
web.Context.ExecuteQueryRetry();
}
}
}
}
var webRoleDefinitions = web.Context.LoadQuery(web.RoleDefinitions);
var groups = web.Context.LoadQuery(web.SiteGroups.Include(g => g.LoginName));
web.Context.ExecuteQueryRetry();
if (siteSecurity.SiteSecurityPermissions.RoleAssignments.Any())
{
foreach (var roleAssignment in siteSecurity.SiteSecurityPermissions.RoleAssignments)
{
var roleDefinition = webRoleDefinitions.FirstOrDefault(r => r.Name == parser.ParseString(roleAssignment.RoleDefinition));
if (roleDefinition != null)
{
Principal principal = groups.FirstOrDefault(g => g.LoginName == parser.ParseString(roleAssignment.Principal));
if (principal == null)
{
principal = web.EnsureUser(parser.ParseString(roleAssignment.Principal));
}
var roleDefinitionBindingCollection = new RoleDefinitionBindingCollection(web.Context);
roleDefinitionBindingCollection.Add(roleDefinition);
web.RoleAssignments.Add(principal, roleDefinitionBindingCollection);
web.Context.ExecuteQueryRetry();
}
else
{
scope.LogWarning("Role assignment {0} not found in web", roleAssignment.RoleDefinition);
}
}
}
}
}
return(parser);
}
public static void CrearNivel(ClientContext c)
{
//try
//{
c.Load(
c.Web,
website => website.Title,
website => website.HasUniqueRoleAssignments);
c.ExecuteQuery();
Console.WriteLine("Creando nivel de permiso");
if (!c.Web.HasUniqueRoleAssignments)
{
c.Web.BreakRoleInheritance(false, true);
c.ExecuteQuery();
}
BasePermissions permisoBuffet = new BasePermissions();
permisoBuffet.Set(PermissionKind.EmptyMask);
permisoBuffet.Set(PermissionKind.AddListItems);
permisoBuffet.Set(PermissionKind.EditListItems);
permisoBuffet.Set(PermissionKind.ViewListItems);
permisoBuffet.Set(PermissionKind.ViewVersions);
permisoBuffet.Set(PermissionKind.DeleteVersions);
permisoBuffet.Set(PermissionKind.CreateAlerts);
permisoBuffet.Set(PermissionKind.ViewFormPages);
permisoBuffet.Set(PermissionKind.OpenItems);
permisoBuffet.Set(PermissionKind.BrowseDirectories);
permisoBuffet.Set(PermissionKind.ViewPages);
permisoBuffet.Set(PermissionKind.UseRemoteAPIs);
permisoBuffet.Set(PermissionKind.BrowseUserInfo);
permisoBuffet.Set(PermissionKind.UseClientIntegration);
permisoBuffet.Set(PermissionKind.Open);
permisoBuffet.Set(PermissionKind.EditMyUserInfo);
permisoBuffet.Set(PermissionKind.ManagePersonalViews);
permisoBuffet.Set(PermissionKind.AddDelPrivateWebParts);
permisoBuffet.Set(PermissionKind.UpdatePersonalWebParts);
permisoBuffet.Set(PermissionKind.CreateSSCSite);
permisoBuffet.Set(PermissionKind.CreateAlerts);
RoleDefinitionCreationInformation creationInfo = new RoleDefinitionCreationInformation();
creationInfo.BasePermissions = permisoBuffet;
creationInfo.Description = "Colaborar sin eliminar";
creationInfo.Name = "Colaborar sin eliminar";
creationInfo.Order = 0;
RoleDefinition rd = c.Web.RoleDefinitions.Add(creationInfo);
c.ExecuteQuery();
Console.ForegroundColor = ConsoleColor.Green;
Console.WriteLine("--- NIVEL DE PERMISO CREADO --");
Console.ResetColor();
//}
//catch (Exception ex)
//{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("--- ERROR AL CREAR EL NIVEL DE PERMISO --");
Console.ResetColor();
//}
c.ExecuteQuery();
}
