public override void BreakRoleInheritance(bool copyRoleAssignments)
{
if (_web.Id == _site.RootWeb.ID)
{
return;
}
_web.BreakRoleInheritance(copyRoleAssignments, false);
_context.Load(_web, x => x.HasUniqueRoleAssignments);
_context.ExecuteQuery();
}
//gavdcodeend 19
//gavdcodebegin 20
static void SpCsCsomBreakSecurityInheritanceWeb()
{
string myWebFullUrl = ConfigurationManager.AppSettings["spUrl"] +
"/NewWebSiteModernCsCsom";
ClientContext spCtx = LoginCsom(myWebFullUrl);
Web myWeb = spCtx.Web;
spCtx.Load(myWeb, hura => hura.HasUniqueRoleAssignments);
spCtx.ExecuteQuery();
if (myWeb.HasUniqueRoleAssignments == false)
{
myWeb.BreakRoleInheritance(false, true);
}
myWeb.Update();
spCtx.ExecuteQuery();
}
/// <summary>
/// Add Permission in a Site
/// </summary>
/// <param name="group"></param>
/// <param name="role"></param>
/// <returns></returns>
public bool AddPermision(string group, RoleType role)
{
try
{
var oGroup = Web.Site.RootWeb.Groups.GetByName(group);
var roleAssignment = new SPRoleAssignment(oGroup);
var roleDefinition = Web.RoleDefinitions.GetByType((SPRoleType)role);
roleAssignment.RoleDefinitionBindings.Add(roleDefinition);
if (!Web.HasUniqueRoleAssignments)
{
Web.BreakRoleInheritance(false);
}
Web.RoleAssignments.Add(roleAssignment);
Web.Update();
return(true);
}
catch (Exception exception)
{
Logger.Error(string.Concat("Error AddPermission :", exception.Message));
return(false);
}
}
public override TokenParser ProvisionObjects(Web web, ProvisioningTemplate template, TokenParser parser, ProvisioningTemplateApplyingInformation applyingInformation)
{
using (var scope = new PnPMonitoredScope(this.Name))
{
// Changed by Paolo Pialorsi to embrace the new sub-site attributes to break role inheritance and copy role assignments
// if this is a sub site then we're not provisioning security as by default security is inherited from the root site
//if (web.IsSubSite() && !template.Security.BreakRoleInheritance)
//{
// scope.LogDebug(CoreResources.Provisioning_ObjectHandlers_SiteSecurity_Context_web_is_subweb__skipping_site_security_provisioning);
// return parser;
//}
if (web.IsSubSite() && template.Security.BreakRoleInheritance)
{
web.BreakRoleInheritance(template.Security.CopyRoleAssignments, template.Security.ClearSubscopes);
web.Update();
web.Context.ExecuteQueryRetry();
}
var siteSecurity = template.Security;
var ownerGroup = web.AssociatedOwnerGroup;
var memberGroup = web.AssociatedMemberGroup;
var visitorGroup = web.AssociatedVisitorGroup;
web.Context.Load(ownerGroup, o => o.Title, o => o.Users);
web.Context.Load(memberGroup, o => o.Title, o => o.Users);
web.Context.Load(visitorGroup, o => o.Title, o => o.Users);
web.Context.Load(web.SiteUsers);
web.Context.ExecuteQueryRetry();
if (!ownerGroup.ServerObjectIsNull())
{
AddUserToGroup(web, ownerGroup, siteSecurity.AdditionalOwners, scope, parser);
}
if (!memberGroup.ServerObjectIsNull())
{
AddUserToGroup(web, memberGroup, siteSecurity.AdditionalMembers, scope, parser);
}
if (!visitorGroup.ServerObjectIsNull())
{
AddUserToGroup(web, visitorGroup, siteSecurity.AdditionalVisitors, scope, parser);
}
foreach (var siteGroup in siteSecurity.SiteGroups
.Sort <SiteGroup>(
_grp => {
string groupOwner = _grp.Owner;
if (string.IsNullOrWhiteSpace(groupOwner) ||
"SHAREPOINT\\system".Equals(groupOwner, StringComparison.OrdinalIgnoreCase) ||
_grp.Title.Equals(groupOwner, StringComparison.OrdinalIgnoreCase) ||
(groupOwner.StartsWith("{{associated") && groupOwner.EndsWith("group}}")))
{
return(Enumerable.Empty <SiteGroup>());
}
return(siteSecurity.SiteGroups.Where(_item => _item.Title.Equals(groupOwner, StringComparison.OrdinalIgnoreCase)));
}
))
{
Group group;
var allGroups = web.Context.LoadQuery(web.SiteGroups.Include(gr => gr.LoginName));
web.Context.ExecuteQueryRetry();
string parsedGroupTitle = parser.ParseString(siteGroup.Title);
string parsedGroupOwner = parser.ParseString(siteGroup.Owner);
string parsedGroupDescription = parser.ParseString(siteGroup.Description);
if (!web.GroupExists(parsedGroupTitle))
{
scope.LogDebug("Creating group {0}", parsedGroupTitle);
group = web.AddGroup(
parsedGroupTitle,
//If the description is more than 512 characters long a server exception will be thrown.
PnPHttpUtility.ConvertSimpleHtmlToText(parsedGroupDescription, int.MaxValue),
parsedGroupTitle == parsedGroupOwner);
group.AllowMembersEditMembership = siteGroup.AllowMembersEditMembership;
group.AllowRequestToJoinLeave = siteGroup.AllowRequestToJoinLeave;
group.AutoAcceptRequestToJoinLeave = siteGroup.AutoAcceptRequestToJoinLeave;
group.OnlyAllowMembersViewMembership = siteGroup.OnlyAllowMembersViewMembership;
group.RequestToJoinLeaveEmailSetting = siteGroup.RequestToJoinLeaveEmailSetting;
if (parsedGroupTitle != parsedGroupOwner)
{
Principal ownerPrincipal = allGroups.FirstOrDefault(gr => gr.LoginName.Equals(parsedGroupOwner, StringComparison.OrdinalIgnoreCase));
if (ownerPrincipal == null)
{
ownerPrincipal = web.EnsureUser(parsedGroupOwner);
}
group.Owner = ownerPrincipal;
}
group.Update();
web.Context.Load(group, g => g.Id, g => g.Title);
web.Context.ExecuteQueryRetry();
parser.AddToken(new GroupIdToken(web, group.Title, group.Id));
var groupItem = web.SiteUserInfoList.GetItemById(group.Id);
groupItem["Notes"] = parsedGroupDescription;
groupItem.Update();
web.Context.ExecuteQueryRetry();
}
else
{
group = web.SiteGroups.GetByName(parsedGroupTitle);
web.Context.Load(group,
g => g.Id,
g => g.Title,
g => g.Description,
g => g.AllowMembersEditMembership,
g => g.AllowRequestToJoinLeave,
g => g.AutoAcceptRequestToJoinLeave,
g => g.OnlyAllowMembersViewMembership,
g => g.RequestToJoinLeaveEmailSetting,
g => g.Owner.LoginName);
web.Context.ExecuteQueryRetry();
var groupNeedsUpdate = false;
var executeQuery = false;
if (!String.IsNullOrEmpty(parsedGroupDescription))
{
var groupItem = web.SiteUserInfoList.GetItemById(group.Id);
web.Context.Load(groupItem, g => g["Notes"]);
web.Context.ExecuteQueryRetry();
var description = groupItem["Notes"]?.ToString();
if (description != parsedGroupDescription)
{
groupItem["Notes"] = parsedGroupDescription;
groupItem.Update();
executeQuery = true;
}
var plainTextDescription = PnPHttpUtility.ConvertSimpleHtmlToText(parsedGroupDescription, int.MaxValue);
if (group.Description != plainTextDescription)
{
//If the description is more than 512 characters long a server exception will be thrown.
group.Description = plainTextDescription;
groupNeedsUpdate = true;
}
}
if (group.AllowMembersEditMembership != siteGroup.AllowMembersEditMembership)
{
group.AllowMembersEditMembership = siteGroup.AllowMembersEditMembership;
groupNeedsUpdate = true;
}
if (group.AllowRequestToJoinLeave != siteGroup.AllowRequestToJoinLeave)
{
group.AllowRequestToJoinLeave = siteGroup.AllowRequestToJoinLeave;
groupNeedsUpdate = true;
}
if (group.AutoAcceptRequestToJoinLeave != siteGroup.AutoAcceptRequestToJoinLeave)
{
group.AutoAcceptRequestToJoinLeave = siteGroup.AutoAcceptRequestToJoinLeave;
groupNeedsUpdate = true;
}
if (group.OnlyAllowMembersViewMembership != siteGroup.OnlyAllowMembersViewMembership)
{
group.OnlyAllowMembersViewMembership = siteGroup.OnlyAllowMembersViewMembership;
groupNeedsUpdate = true;
}
if (!String.IsNullOrEmpty(group.RequestToJoinLeaveEmailSetting) && group.RequestToJoinLeaveEmailSetting != siteGroup.RequestToJoinLeaveEmailSetting)
{
group.RequestToJoinLeaveEmailSetting = siteGroup.RequestToJoinLeaveEmailSetting;
groupNeedsUpdate = true;
}
if (group.Owner.LoginName != parsedGroupOwner)
{
if (parsedGroupTitle != parsedGroupOwner)
{
Principal ownerPrincipal = allGroups.FirstOrDefault(gr => gr.LoginName.Equals(parsedGroupOwner, StringComparison.OrdinalIgnoreCase));
if (ownerPrincipal == null)
{
ownerPrincipal = web.EnsureUser(parsedGroupOwner);
}
group.Owner = ownerPrincipal;
}
else
{
group.Owner = group;
}
groupNeedsUpdate = true;
}
if (groupNeedsUpdate)
{
scope.LogDebug("Updating existing group {0}", group.Title);
group.Update();
executeQuery = true;
}
if (executeQuery)
{
web.Context.ExecuteQueryRetry();
}
}
if (group != null && siteGroup.Members.Any())
{
AddUserToGroup(web, group, siteGroup.Members, scope, parser);
}
}
foreach (var admin in siteSecurity.AdditionalAdministrators)
{
var parsedAdminName = parser.ParseString(admin.Name);
try
{
var user = web.EnsureUser(parsedAdminName);
user.IsSiteAdmin = true;
user.Update();
web.Context.ExecuteQueryRetry();
}
catch (Exception ex)
{
scope.LogWarning(ex, "Failed to add AdditionalAdministrator {0}", parsedAdminName);
}
}
// With the change from october, manage permission levels on subsites as well
if (siteSecurity.SiteSecurityPermissions != null)
{
var existingRoleDefinitions = web.Context.LoadQuery(web.RoleDefinitions.Include(wr => wr.Name, wr => wr.BasePermissions, wr => wr.Description));
web.Context.ExecuteQueryRetry();
if (siteSecurity.SiteSecurityPermissions.RoleDefinitions.Any())
{
foreach (var templateRoleDefinition in siteSecurity.SiteSecurityPermissions.RoleDefinitions)
{
var roleDefinitions = existingRoleDefinitions as RoleDefinition[] ?? existingRoleDefinitions.ToArray();
var parsedRoleDefinitionName = parser.ParseString(templateRoleDefinition.Name);
var parsedTemplateRoleDefinitionDesc = parser.ParseString(templateRoleDefinition.Description);
var siteRoleDefinition = roleDefinitions.FirstOrDefault(erd => erd.Name == parsedRoleDefinitionName);
if (siteRoleDefinition == null)
{
scope.LogDebug("Creating role definition {0}", parsedRoleDefinitionName);
var roleDefinitionCI = new RoleDefinitionCreationInformation();
roleDefinitionCI.Name = parsedRoleDefinitionName;
roleDefinitionCI.Description = parsedTemplateRoleDefinitionDesc;
BasePermissions basePermissions = new BasePermissions();
foreach (var permission in templateRoleDefinition.Permissions)
{
basePermissions.Set(permission);
}
roleDefinitionCI.BasePermissions = basePermissions;
var newRoleDefinition = web.RoleDefinitions.Add(roleDefinitionCI);
web.Context.Load(newRoleDefinition, nrd => nrd.Name, nrd => nrd.Id);
web.Context.ExecuteQueryRetry();
parser.AddToken(new RoleDefinitionIdToken(web, newRoleDefinition.Name, newRoleDefinition.Id));
}
else
{
var isDirty = false;
if (siteRoleDefinition.Description != parsedTemplateRoleDefinitionDesc)
{
siteRoleDefinition.Description = parsedTemplateRoleDefinitionDesc;
isDirty = true;
}
var templateBasePermissions = new BasePermissions();
templateRoleDefinition.Permissions.ForEach(p => templateBasePermissions.Set(p));
if (siteRoleDefinition.BasePermissions != templateBasePermissions)
{
isDirty = true;
foreach (var permission in templateRoleDefinition.Permissions)
{
siteRoleDefinition.BasePermissions.Set(permission);
}
}
if (isDirty)
{
scope.LogDebug("Updating role definition {0}", parsedRoleDefinitionName);
siteRoleDefinition.Update();
web.Context.ExecuteQueryRetry();
}
}
}
}
var webRoleDefinitions = web.Context.LoadQuery(web.RoleDefinitions);
var webRoleAssignments = web.Context.LoadQuery(web.RoleAssignments);
var groups = web.Context.LoadQuery(web.SiteGroups.Include(g => g.LoginName));
web.Context.ExecuteQueryRetry();
if (siteSecurity.SiteSecurityPermissions.RoleAssignments.Any())
{
foreach (var roleAssignment in siteSecurity.SiteSecurityPermissions.RoleAssignments)
{
var parsedRoleDefinition = parser.ParseString(roleAssignment.RoleDefinition);
if (!roleAssignment.Remove)
{
var roleDefinition = webRoleDefinitions.FirstOrDefault(r => r.Name == parsedRoleDefinition);
if (roleDefinition != null)
{
Principal principal = GetPrincipal(web, parser, scope, groups, roleAssignment);
if (principal != null)
{
var roleDefinitionBindingCollection = new RoleDefinitionBindingCollection(web.Context);
roleDefinitionBindingCollection.Add(roleDefinition);
web.RoleAssignments.Add(principal, roleDefinitionBindingCollection);
web.Context.ExecuteQueryRetry();
}
}
else
{
scope.LogWarning("Role assignment {0} not found in web", roleAssignment.RoleDefinition);
}
}
else
{
var principal = GetPrincipal(web, parser, scope, groups, roleAssignment);
var assignmentsForPrincipal = webRoleAssignments.Where(t => t.PrincipalId == principal.Id);
foreach (var assignmentForPrincipal in assignmentsForPrincipal)
{
var binding = assignmentForPrincipal.EnsureProperty(r => r.RoleDefinitionBindings).FirstOrDefault(b => b.Name == parsedRoleDefinition);
if (binding != null)
{
assignmentForPrincipal.DeleteObject();
web.Context.ExecuteQueryRetry();
break;
}
}
}
}
}
}
}
return(parser);
}
public override TokenParser ProvisionObjects(Web web, ProvisioningTemplate template, TokenParser parser, ProvisioningTemplateApplyingInformation applyingInformation)
{
using (var scope = new PnPMonitoredScope(this.Name))
{
// Changed by Paolo Pialorsi to embrace the new sub-site attributes for break role inheritance and copy role assignments
// if this is a sub site then we're not provisioning security as by default security is inherited from the root site
//if (web.IsSubSite() && !template.Security.BreakRoleInheritance)
//{
// scope.LogDebug(CoreResources.Provisioning_ObjectHandlers_SiteSecurity_Context_web_is_subweb__skipping_site_security_provisioning);
// return parser;
//}
if (web.IsSubSite() && template.Security.BreakRoleInheritance)
{
web.BreakRoleInheritance(template.Security.CopyRoleAssignments, template.Security.ClearSubscopes);
web.Update();
web.Context.ExecuteQueryRetry();
}
var siteSecurity = template.Security;
var ownerGroup = web.AssociatedOwnerGroup;
var memberGroup = web.AssociatedMemberGroup;
var visitorGroup = web.AssociatedVisitorGroup;
web.Context.Load(ownerGroup, o => o.Title, o => o.Users);
web.Context.Load(memberGroup, o => o.Title, o => o.Users);
web.Context.Load(visitorGroup, o => o.Title, o => o.Users);
web.Context.ExecuteQueryRetry();
if (!ownerGroup.ServerObjectIsNull.Value)
{
AddUserToGroup(web, ownerGroup, siteSecurity.AdditionalOwners, scope, parser);
}
if (!memberGroup.ServerObjectIsNull.Value)
{
AddUserToGroup(web, memberGroup, siteSecurity.AdditionalMembers, scope, parser);
}
if (!visitorGroup.ServerObjectIsNull.Value)
{
AddUserToGroup(web, visitorGroup, siteSecurity.AdditionalVisitors, scope, parser);
}
foreach (var siteGroup in siteSecurity.SiteGroups)
{
Group group;
var allGroups = web.Context.LoadQuery(web.SiteGroups.Include(gr => gr.LoginName));
web.Context.ExecuteQueryRetry();
string parsedGroupTitle = parser.ParseString(siteGroup.Title);
string parsedGroupOwner = parser.ParseString(siteGroup.Owner);
string parsedGroupDescription = parser.ParseString(siteGroup.Description);
if (!web.GroupExists(parsedGroupTitle))
{
scope.LogDebug("Creating group {0}", parsedGroupTitle);
group = web.AddGroup(
parsedGroupTitle,
parsedGroupDescription,
parsedGroupTitle == parsedGroupOwner);
group.AllowMembersEditMembership = siteGroup.AllowMembersEditMembership;
group.AllowRequestToJoinLeave = siteGroup.AllowRequestToJoinLeave;
group.AutoAcceptRequestToJoinLeave = siteGroup.AutoAcceptRequestToJoinLeave;
if (parsedGroupTitle != parsedGroupOwner)
{
Principal ownerPrincipal = allGroups.FirstOrDefault(gr => gr.LoginName == parsedGroupOwner);
if (ownerPrincipal == null)
{
ownerPrincipal = web.EnsureUser(parsedGroupOwner);
}
group.Owner = ownerPrincipal;
}
group.Update();
web.Context.Load(group, g => g.Id, g => g.Title);
web.Context.ExecuteQueryRetry();
parser.AddToken(new GroupIdToken(web, group.Title, group.Id));
}
else
{
group = web.SiteGroups.GetByName(parsedGroupTitle);
web.Context.Load(group,
g => g.Title,
g => g.Description,
g => g.AllowMembersEditMembership,
g => g.AllowRequestToJoinLeave,
g => g.AutoAcceptRequestToJoinLeave,
g => g.Owner.LoginName);
web.Context.ExecuteQueryRetry();
var isDirty = false;
if (!String.IsNullOrEmpty(group.Description) && group.Description != parsedGroupDescription)
{
group.Description = parsedGroupDescription;
isDirty = true;
}
if (group.AllowMembersEditMembership != siteGroup.AllowMembersEditMembership)
{
group.AllowMembersEditMembership = siteGroup.AllowMembersEditMembership;
isDirty = true;
}
if (group.AllowRequestToJoinLeave != siteGroup.AllowRequestToJoinLeave)
{
group.AllowRequestToJoinLeave = siteGroup.AllowRequestToJoinLeave;
isDirty = true;
}
if (group.AutoAcceptRequestToJoinLeave != siteGroup.AutoAcceptRequestToJoinLeave)
{
group.AutoAcceptRequestToJoinLeave = siteGroup.AutoAcceptRequestToJoinLeave;
isDirty = true;
}
if (group.Owner.LoginName != parsedGroupOwner)
{
if (parsedGroupTitle != parsedGroupOwner)
{
Principal ownerPrincipal = allGroups.FirstOrDefault(gr => gr.LoginName == parsedGroupOwner);
if (ownerPrincipal == null)
{
ownerPrincipal = web.EnsureUser(parsedGroupOwner);
}
group.Owner = ownerPrincipal;
}
else
{
group.Owner = group;
}
isDirty = true;
}
if (isDirty)
{
scope.LogDebug("Updating existing group {0}", group.Title);
group.Update();
web.Context.ExecuteQueryRetry();
}
}
if (group != null && siteGroup.Members.Any())
{
AddUserToGroup(web, group, siteGroup.Members, scope, parser);
}
}
foreach (var admin in siteSecurity.AdditionalAdministrators)
{
var parsedAdminName = parser.ParseString(admin.Name);
var user = web.EnsureUser(parsedAdminName);
user.IsSiteAdmin = true;
user.Update();
web.Context.ExecuteQueryRetry();
}
if (!web.IsSubSite() && siteSecurity.SiteSecurityPermissions != null) // Only manage permissions levels on sitecol level
{
var existingRoleDefinitions = web.Context.LoadQuery(web.RoleDefinitions.Include(wr => wr.Name, wr => wr.BasePermissions, wr => wr.Description));
web.Context.ExecuteQueryRetry();
if (siteSecurity.SiteSecurityPermissions.RoleDefinitions.Any())
{
foreach (var templateRoleDefinition in siteSecurity.SiteSecurityPermissions.RoleDefinitions)
{
var roleDefinitions = existingRoleDefinitions as RoleDefinition[] ?? existingRoleDefinitions.ToArray();
var siteRoleDefinition = roleDefinitions.FirstOrDefault(erd => erd.Name == parser.ParseString(templateRoleDefinition.Name));
if (siteRoleDefinition == null)
{
scope.LogDebug("Creation role definition {0}", parser.ParseString(templateRoleDefinition.Name));
var roleDefinitionCI = new RoleDefinitionCreationInformation();
roleDefinitionCI.Name = parser.ParseString(templateRoleDefinition.Name);
roleDefinitionCI.Description = parser.ParseString(templateRoleDefinition.Description);
BasePermissions basePermissions = new BasePermissions();
foreach (var permission in templateRoleDefinition.Permissions)
{
basePermissions.Set(permission);
}
roleDefinitionCI.BasePermissions = basePermissions;
web.RoleDefinitions.Add(roleDefinitionCI);
web.Context.ExecuteQueryRetry();
}
else
{
var isDirty = false;
if (siteRoleDefinition.Description != parser.ParseString(templateRoleDefinition.Description))
{
siteRoleDefinition.Description = parser.ParseString(templateRoleDefinition.Description);
isDirty = true;
}
var templateBasePermissions = new BasePermissions();
templateRoleDefinition.Permissions.ForEach(p => templateBasePermissions.Set(p));
if (siteRoleDefinition.BasePermissions != templateBasePermissions)
{
isDirty = true;
foreach (var permission in templateRoleDefinition.Permissions)
{
siteRoleDefinition.BasePermissions.Set(permission);
}
}
if (isDirty)
{
scope.LogDebug("Updating role definition {0}", parser.ParseString(templateRoleDefinition.Name));
siteRoleDefinition.Update();
web.Context.ExecuteQueryRetry();
}
}
}
}
var webRoleDefinitions = web.Context.LoadQuery(web.RoleDefinitions);
var groups = web.Context.LoadQuery(web.SiteGroups.Include(g => g.LoginName));
web.Context.ExecuteQueryRetry();
if (siteSecurity.SiteSecurityPermissions.RoleAssignments.Any())
{
foreach (var roleAssignment in siteSecurity.SiteSecurityPermissions.RoleAssignments)
{
Principal principal = groups.FirstOrDefault(g => g.LoginName == parser.ParseString(roleAssignment.Principal));
if (principal == null)
{
principal = web.EnsureUser(parser.ParseString(roleAssignment.Principal));
}
var roleDefinitionBindingCollection = new RoleDefinitionBindingCollection(web.Context);
var roleDefinition = webRoleDefinitions.FirstOrDefault(r => r.Name == parser.ParseString(roleAssignment.RoleDefinition));
if (roleDefinition != null)
{
roleDefinitionBindingCollection.Add(roleDefinition);
}
web.RoleAssignments.Add(principal, roleDefinitionBindingCollection);
web.Context.ExecuteQueryRetry();
}
}
}
}
return parser;
}
/// <summary>
/// Create group if it's not existed
/// </summary>
/// <param name="collGroup"></param>
/// <param name="groupName"></param>
/// <param name="oWebsite"></param>
/// <param name="clientContext"></param>
/// <param name="roleType"></param>
/// <param name="users"></param>
private static void CreateGroup(GroupCollection collGroup, string groupName, Web oWebsite, ClientContext clientContext, RoleType roleType, List<FieldUserValue> users)
{
try
{
Group grp = collGroup.Where(g => g.Title == groupName).FirstOrDefault();
oWebsite.BreakRoleInheritance(true, false);
if (grp == null)
{
GroupCreationInformation groupCreationInfo = new GroupCreationInformation();
groupCreationInfo.Title = groupName;
groupCreationInfo.Description = "Use this group to grant people " + roleType.ToString() + " permissions to the SharePoint site: " + oWebsite.Title;
grp = oWebsite.SiteGroups.Add(groupCreationInfo);
//clientContext.Load(grp);
//clientContext.ExecuteQuery();
}
// grant role to group
RoleDefinitionBindingCollection collRoleDefinitionBinding = new RoleDefinitionBindingCollection(clientContext);
RoleDefinition oRoleDefinition = oWebsite.RoleDefinitions.GetByType(roleType);
collRoleDefinitionBinding.Add(oRoleDefinition);
oWebsite.RoleAssignments.Add(grp, collRoleDefinitionBinding);
clientContext.Load(grp, group => group.Title);
clientContext.Load(oRoleDefinition, role => role.Name);
clientContext.ExecuteQuery();
// Add users to newly created group or existing group
AddUsertoGroup(grp, clientContext, users);
}
catch (Exception e)
{
Console.Write(e.Message);
}
}
public void BreakRoleInheritance(bool copyRoleAssignments, bool clearScopes)
{
_web.BreakRoleInheritance(copyRoleAssignments, clearScopes);
_web.Context.ExecuteQuery();
Refresh();
}
public override TokenParser ProvisionObjects(Web web, ProvisioningTemplate template, TokenParser parser, ProvisioningTemplateApplyingInformation applyingInformation)
{
using (var scope = new PnPMonitoredScope(this.Name))
{
// Changed by Paolo Pialorsi to embrace the new sub-site attributes for break role inheritance and copy role assignments
// if this is a sub site then we're not provisioning security as by default security is inherited from the root site
//if (web.IsSubSite() && !template.Security.BreakRoleInheritance)
//{
// scope.LogDebug(CoreResources.Provisioning_ObjectHandlers_SiteSecurity_Context_web_is_subweb__skipping_site_security_provisioning);
// return parser;
//}
if (web.IsSubSite() && template.Security.BreakRoleInheritance)
{
web.BreakRoleInheritance(template.Security.CopyRoleAssignments, template.Security.ClearSubscopes);
web.Update();
web.Context.ExecuteQueryRetry();
}
var siteSecurity = template.Security;
var ownerGroup = web.AssociatedOwnerGroup;
var memberGroup = web.AssociatedMemberGroup;
var visitorGroup = web.AssociatedVisitorGroup;
web.Context.Load(ownerGroup, o => o.Title, o => o.Users);
web.Context.Load(memberGroup, o => o.Title, o => o.Users);
web.Context.Load(visitorGroup, o => o.Title, o => o.Users);
web.Context.ExecuteQueryRetry();
if (!ownerGroup.ServerObjectIsNull.Value)
{
AddUserToGroup(web, ownerGroup, siteSecurity.AdditionalOwners, scope, parser);
}
if (!memberGroup.ServerObjectIsNull.Value)
{
AddUserToGroup(web, memberGroup, siteSecurity.AdditionalMembers, scope, parser);
}
if (!visitorGroup.ServerObjectIsNull.Value)
{
AddUserToGroup(web, visitorGroup, siteSecurity.AdditionalVisitors, scope, parser);
}
foreach (var siteGroup in siteSecurity.SiteGroups)
{
Group group;
var allGroups = web.Context.LoadQuery(web.SiteGroups.Include(gr => gr.LoginName));
web.Context.ExecuteQueryRetry();
string parsedGroupTitle = parser.ParseString(siteGroup.Title);
string parsedGroupOwner = parser.ParseString(siteGroup.Owner);
string parsedGroupDescription = parser.ParseString(siteGroup.Description);
if (!web.GroupExists(parsedGroupTitle))
{
scope.LogDebug("Creating group {0}", parsedGroupTitle);
group = web.AddGroup(
parsedGroupTitle,
parsedGroupDescription,
parsedGroupTitle == parsedGroupOwner);
group.AllowMembersEditMembership = siteGroup.AllowMembersEditMembership;
group.AllowRequestToJoinLeave = siteGroup.AllowRequestToJoinLeave;
group.AutoAcceptRequestToJoinLeave = siteGroup.AutoAcceptRequestToJoinLeave;
if (parsedGroupTitle != parsedGroupOwner)
{
Principal ownerPrincipal = allGroups.FirstOrDefault(gr => gr.LoginName == parsedGroupOwner);
if (ownerPrincipal == null)
{
ownerPrincipal = web.EnsureUser(parsedGroupOwner);
}
group.Owner = ownerPrincipal;
}
group.Update();
web.Context.Load(group, g => g.Id, g => g.Title);
web.Context.ExecuteQueryRetry();
parser.AddToken(new GroupIdToken(web, group.Title, group.Id));
}
else
{
group = web.SiteGroups.GetByName(parsedGroupTitle);
web.Context.Load(group,
g => g.Title,
g => g.Description,
g => g.AllowMembersEditMembership,
g => g.AllowRequestToJoinLeave,
g => g.AutoAcceptRequestToJoinLeave,
g => g.Owner.LoginName);
web.Context.ExecuteQueryRetry();
var isDirty = false;
if (!String.IsNullOrEmpty(group.Description) && group.Description != parsedGroupDescription)
{
group.Description = parsedGroupDescription;
isDirty = true;
}
if (group.AllowMembersEditMembership != siteGroup.AllowMembersEditMembership)
{
group.AllowMembersEditMembership = siteGroup.AllowMembersEditMembership;
isDirty = true;
}
if (group.AllowRequestToJoinLeave != siteGroup.AllowRequestToJoinLeave)
{
group.AllowRequestToJoinLeave = siteGroup.AllowRequestToJoinLeave;
isDirty = true;
}
if (group.AutoAcceptRequestToJoinLeave != siteGroup.AutoAcceptRequestToJoinLeave)
{
group.AutoAcceptRequestToJoinLeave = siteGroup.AutoAcceptRequestToJoinLeave;
isDirty = true;
}
if (group.Owner.LoginName != parsedGroupOwner)
{
if (parsedGroupTitle != parsedGroupOwner)
{
Principal ownerPrincipal = allGroups.FirstOrDefault(gr => gr.LoginName == parsedGroupOwner);
if (ownerPrincipal == null)
{
ownerPrincipal = web.EnsureUser(parsedGroupOwner);
}
group.Owner = ownerPrincipal;
}
else
{
group.Owner = group;
}
isDirty = true;
}
if (isDirty)
{
scope.LogDebug("Updating existing group {0}", group.Title);
group.Update();
web.Context.ExecuteQueryRetry();
}
}
if (group != null && siteGroup.Members.Any())
{
AddUserToGroup(web, group, siteGroup.Members, scope, parser);
}
}
foreach (var admin in siteSecurity.AdditionalAdministrators)
{
var parsedAdminName = parser.ParseString(admin.Name);
var user = web.EnsureUser(parsedAdminName);
user.IsSiteAdmin = true;
user.Update();
web.Context.ExecuteQueryRetry();
}
if (!web.IsSubSite() && siteSecurity.SiteSecurityPermissions != null) // Only manage permissions levels on sitecol level
{
var existingRoleDefinitions = web.Context.LoadQuery(web.RoleDefinitions.Include(wr => wr.Name, wr => wr.BasePermissions, wr => wr.Description));
web.Context.ExecuteQueryRetry();
if (siteSecurity.SiteSecurityPermissions.RoleDefinitions.Any())
{
foreach (var templateRoleDefinition in siteSecurity.SiteSecurityPermissions.RoleDefinitions)
{
var roleDefinitions = existingRoleDefinitions as RoleDefinition[] ?? existingRoleDefinitions.ToArray();
var siteRoleDefinition = roleDefinitions.FirstOrDefault(erd => erd.Name == parser.ParseString(templateRoleDefinition.Name));
if (siteRoleDefinition == null)
{
scope.LogDebug("Creation role definition {0}", parser.ParseString(templateRoleDefinition.Name));
var roleDefinitionCI = new RoleDefinitionCreationInformation();
roleDefinitionCI.Name = parser.ParseString(templateRoleDefinition.Name);
roleDefinitionCI.Description = parser.ParseString(templateRoleDefinition.Description);
BasePermissions basePermissions = new BasePermissions();
foreach (var permission in templateRoleDefinition.Permissions)
{
basePermissions.Set(permission);
}
roleDefinitionCI.BasePermissions = basePermissions;
web.RoleDefinitions.Add(roleDefinitionCI);
web.Context.ExecuteQueryRetry();
}
else
{
var isDirty = false;
if (siteRoleDefinition.Description != parser.ParseString(templateRoleDefinition.Description))
{
siteRoleDefinition.Description = parser.ParseString(templateRoleDefinition.Description);
isDirty = true;
}
var templateBasePermissions = new BasePermissions();
templateRoleDefinition.Permissions.ForEach(p => templateBasePermissions.Set(p));
if (siteRoleDefinition.BasePermissions != templateBasePermissions)
{
isDirty = true;
foreach (var permission in templateRoleDefinition.Permissions)
{
siteRoleDefinition.BasePermissions.Set(permission);
}
}
if (isDirty)
{
scope.LogDebug("Updating role definition {0}", parser.ParseString(templateRoleDefinition.Name));
siteRoleDefinition.Update();
web.Context.ExecuteQueryRetry();
}
}
}
}
var webRoleDefinitions = web.Context.LoadQuery(web.RoleDefinitions);
var groups = web.Context.LoadQuery(web.SiteGroups.Include(g => g.LoginName));
web.Context.ExecuteQueryRetry();
if (siteSecurity.SiteSecurityPermissions.RoleAssignments.Any())
{
foreach (var roleAssignment in siteSecurity.SiteSecurityPermissions.RoleAssignments)
{
Principal principal = groups.FirstOrDefault(g => g.LoginName == parser.ParseString(roleAssignment.Principal));
if (principal == null)
{
principal = web.EnsureUser(parser.ParseString(roleAssignment.Principal));
}
var roleDefinitionBindingCollection = new RoleDefinitionBindingCollection(web.Context);
var roleDefinition = webRoleDefinitions.FirstOrDefault(r => r.Name == parser.ParseString(roleAssignment.RoleDefinition));
if (roleDefinition != null)
{
roleDefinitionBindingCollection.Add(roleDefinition);
}
web.RoleAssignments.Add(principal, roleDefinitionBindingCollection);
web.Context.ExecuteQueryRetry();
}
}
}
}
return(parser);
}
public override TokenParser ProvisionObjects(Web web, ProvisioningTemplate template, TokenParser parser, ProvisioningTemplateApplyingInformation applyingInformation)
{
using (var scope = new PnPMonitoredScope(this.Name))
{
// Changed by Paolo Pialorsi to embrace the new sub-site attributes to break role inheritance and copy role assignments
// if this is a sub site then we're not provisioning security as by default security is inherited from the root site
//if (web.IsSubSite() && !template.Security.BreakRoleInheritance)
//{
// scope.LogDebug(CoreResources.Provisioning_ObjectHandlers_SiteSecurity_Context_web_is_subweb__skipping_site_security_provisioning);
// return parser;
//}
if (web.IsSubSite() && template.Security.BreakRoleInheritance)
{
web.BreakRoleInheritance(template.Security.CopyRoleAssignments, template.Security.ClearSubscopes);
web.Update();
web.Context.ExecuteQueryRetry();
}
var siteSecurity = template.Security;
var ownerGroup = web.AssociatedOwnerGroup;
var memberGroup = web.AssociatedMemberGroup;
var visitorGroup = web.AssociatedVisitorGroup;
web.Context.Load(ownerGroup, o => o.Title, o => o.Users);
web.Context.Load(memberGroup, o => o.Title, o => o.Users);
web.Context.Load(visitorGroup, o => o.Title, o => o.Users);
web.Context.Load(web.SiteUsers);
web.Context.ExecuteQueryRetry();
if (!ownerGroup.ServerObjectIsNull())
{
AddUserToGroup(web, ownerGroup, siteSecurity.AdditionalOwners, scope, parser);
}
if (!memberGroup.ServerObjectIsNull())
{
AddUserToGroup(web, memberGroup, siteSecurity.AdditionalMembers, scope, parser);
}
if (!visitorGroup.ServerObjectIsNull())
{
AddUserToGroup(web, visitorGroup, siteSecurity.AdditionalVisitors, scope, parser);
}
//sorting groups with respect to possible dependency through Owner property. Groups that are owners of other groups must be processed prior owned groups.
for (int i = siteSecurity.SiteGroups.Count - 1; i >= 0; i--)
{
var currentGroup = siteSecurity.SiteGroups[i];
string currentGroupOwner = parser.ParseString(currentGroup.Owner);
string currentGroupTitle = parser.ParseString(currentGroup.Title);
if (currentGroupOwner != "SHAREPOINT\\system" && currentGroupOwner != currentGroupTitle && !(currentGroupOwner.StartsWith("{{associated") && currentGroupOwner.EndsWith("group}}")))
{
for (int j = 0; j < i; j++)
{
if (parser.ParseString(siteSecurity.SiteGroups[j].Owner) == currentGroupTitle)
{
siteSecurity.SiteGroups.RemoveAt(i);
siteSecurity.SiteGroups.Insert(j, currentGroup);
i++;
break;
}
}
}
}
foreach (var siteGroup in siteSecurity.SiteGroups)
{
Group group;
var allGroups = web.Context.LoadQuery(web.SiteGroups.Include(gr => gr.LoginName));
web.Context.ExecuteQueryRetry();
string parsedGroupTitle = parser.ParseString(siteGroup.Title);
string parsedGroupOwner = parser.ParseString(siteGroup.Owner);
string parsedGroupDescription = parser.ParseString(siteGroup.Description);
bool descriptionHasHtml = HttpUtility.HtmlEncode(parsedGroupDescription) != parsedGroupDescription;
if (!web.GroupExists(parsedGroupTitle))
{
scope.LogDebug("Creating group {0}", parsedGroupTitle);
group = web.AddGroup(
parsedGroupTitle,
parsedGroupDescription,
parsedGroupTitle == parsedGroupOwner);
group.AllowMembersEditMembership = siteGroup.AllowMembersEditMembership;
group.AllowRequestToJoinLeave = siteGroup.AllowRequestToJoinLeave;
group.AutoAcceptRequestToJoinLeave = siteGroup.AutoAcceptRequestToJoinLeave;
if (parsedGroupTitle != parsedGroupOwner)
{
Principal ownerPrincipal = allGroups.FirstOrDefault(gr => gr.LoginName == parsedGroupOwner);
if (ownerPrincipal == null)
{
ownerPrincipal = web.EnsureUser(parsedGroupOwner);
}
group.Owner = ownerPrincipal;
}
group.Update();
web.Context.Load(group, g => g.Id, g => g.Title);
web.Context.ExecuteQueryRetry();
parser.AddToken(new GroupIdToken(web, group.Title, group.Id));
if (descriptionHasHtml)
{
var groupItem = web.SiteUserInfoList.GetItemById(group.Id);
groupItem["Notes"] = parsedGroupDescription;
groupItem.Update();
web.Context.ExecuteQueryRetry();
}
}
else
{
group = web.SiteGroups.GetByName(parsedGroupTitle);
web.Context.Load(group,
g => g.Id,
g => g.Title,
g => g.Description,
g => g.AllowMembersEditMembership,
g => g.AllowRequestToJoinLeave,
g => g.AutoAcceptRequestToJoinLeave,
g => g.Owner.LoginName);
web.Context.ExecuteQueryRetry();
var isDirty = false;
if (descriptionHasHtml)
{
var groupItem = web.SiteUserInfoList.GetItemById(group.Id);
web.Context.Load(groupItem, g => g["Notes"]);
web.Context.ExecuteQueryRetry();
var description = groupItem["Notes"]?.ToString();
if (description != parsedGroupDescription)
{
groupItem["Notes"] = parsedGroupDescription;
groupItem.Update();
isDirty = true;
}
}
else
{
if (!String.IsNullOrEmpty(group.Description) && group.Description != parsedGroupDescription)
{
group.Description = parsedGroupDescription;
isDirty = true;
}
}
if (group.AllowMembersEditMembership != siteGroup.AllowMembersEditMembership)
{
group.AllowMembersEditMembership = siteGroup.AllowMembersEditMembership;
isDirty = true;
}
if (group.AllowRequestToJoinLeave != siteGroup.AllowRequestToJoinLeave)
{
group.AllowRequestToJoinLeave = siteGroup.AllowRequestToJoinLeave;
isDirty = true;
}
if (group.AutoAcceptRequestToJoinLeave != siteGroup.AutoAcceptRequestToJoinLeave)
{
group.AutoAcceptRequestToJoinLeave = siteGroup.AutoAcceptRequestToJoinLeave;
isDirty = true;
}
if (group.Owner.LoginName != parsedGroupOwner)
{
if (parsedGroupTitle != parsedGroupOwner)
{
Principal ownerPrincipal = allGroups.FirstOrDefault(gr => gr.LoginName == parsedGroupOwner);
if (ownerPrincipal == null)
{
ownerPrincipal = web.EnsureUser(parsedGroupOwner);
}
group.Owner = ownerPrincipal;
}
else
{
group.Owner = group;
}
isDirty = true;
}
if (isDirty)
{
scope.LogDebug("Updating existing group {0}", group.Title);
group.Update();
web.Context.ExecuteQueryRetry();
}
}
if (group != null && siteGroup.Members.Any())
{
AddUserToGroup(web, group, siteGroup.Members, scope, parser);
}
}
foreach (var admin in siteSecurity.AdditionalAdministrators)
{
var parsedAdminName = parser.ParseString(admin.Name);
try
{
var user = web.EnsureUser(parsedAdminName);
user.IsSiteAdmin = true;
user.Update();
web.Context.ExecuteQueryRetry();
}
catch (Exception ex)
{
scope.LogWarning(ex, "Failed to add AdditionalAdministrator {0}", parsedAdminName);
}
}
// With the change from october, manage permission levels on subsites as well
if (siteSecurity.SiteSecurityPermissions != null)
{
var existingRoleDefinitions = web.Context.LoadQuery(web.RoleDefinitions.Include(wr => wr.Name, wr => wr.BasePermissions, wr => wr.Description));
web.Context.ExecuteQueryRetry();
if (siteSecurity.SiteSecurityPermissions.RoleDefinitions.Any())
{
foreach (var templateRoleDefinition in siteSecurity.SiteSecurityPermissions.RoleDefinitions)
{
var roleDefinitions = existingRoleDefinitions as RoleDefinition[] ?? existingRoleDefinitions.ToArray();
var siteRoleDefinition = roleDefinitions.FirstOrDefault(erd => erd.Name == parser.ParseString(templateRoleDefinition.Name));
if (siteRoleDefinition == null)
{
scope.LogDebug("Creating role definition {0}", parser.ParseString(templateRoleDefinition.Name));
var roleDefinitionCI = new RoleDefinitionCreationInformation();
roleDefinitionCI.Name = parser.ParseString(templateRoleDefinition.Name);
roleDefinitionCI.Description = parser.ParseString(templateRoleDefinition.Description);
BasePermissions basePermissions = new BasePermissions();
foreach (var permission in templateRoleDefinition.Permissions)
{
basePermissions.Set(permission);
}
roleDefinitionCI.BasePermissions = basePermissions;
var newRoleDefinition = web.RoleDefinitions.Add(roleDefinitionCI);
web.Context.Load(newRoleDefinition, nrd => nrd.Name, nrd => nrd.Id);
web.Context.ExecuteQueryRetry();
parser.AddToken(new RoleDefinitionIdToken(web, newRoleDefinition.Name, newRoleDefinition.Id));
}
else
{
var isDirty = false;
if (siteRoleDefinition.Description != parser.ParseString(templateRoleDefinition.Description))
{
siteRoleDefinition.Description = parser.ParseString(templateRoleDefinition.Description);
isDirty = true;
}
var templateBasePermissions = new BasePermissions();
templateRoleDefinition.Permissions.ForEach(p => templateBasePermissions.Set(p));
if (siteRoleDefinition.BasePermissions != templateBasePermissions)
{
isDirty = true;
foreach (var permission in templateRoleDefinition.Permissions)
{
siteRoleDefinition.BasePermissions.Set(permission);
}
}
if (isDirty)
{
scope.LogDebug("Updating role definition {0}", parser.ParseString(templateRoleDefinition.Name));
siteRoleDefinition.Update();
web.Context.ExecuteQueryRetry();
}
}
}
}
var webRoleDefinitions = web.Context.LoadQuery(web.RoleDefinitions);
var webRoleAssignments = web.Context.LoadQuery(web.RoleAssignments);
var groups = web.Context.LoadQuery(web.SiteGroups.Include(g => g.LoginName));
web.Context.ExecuteQueryRetry();
if (siteSecurity.SiteSecurityPermissions.RoleAssignments.Any())
{
foreach (var roleAssignment in siteSecurity.SiteSecurityPermissions.RoleAssignments)
{
if (!roleAssignment.Remove)
{
var roleDefinition = webRoleDefinitions.FirstOrDefault(r => r.Name == parser.ParseString(roleAssignment.RoleDefinition));
if (roleDefinition != null)
{
Principal principal = GetPrincipal(web, parser, scope, groups, roleAssignment);
if (principal != null)
{
var roleDefinitionBindingCollection = new RoleDefinitionBindingCollection(web.Context);
roleDefinitionBindingCollection.Add(roleDefinition);
web.RoleAssignments.Add(principal, roleDefinitionBindingCollection);
web.Context.ExecuteQueryRetry();
}
}
else
{
scope.LogWarning("Role assignment {0} not found in web", roleAssignment.RoleDefinition);
}
}
else
{
var principal = GetPrincipal(web, parser, scope, groups, roleAssignment);
var assignmentsForPrincipal = webRoleAssignments.Where(t => t.PrincipalId == principal.Id);
foreach (var assignmentForPrincipal in assignmentsForPrincipal)
{
var binding = assignmentForPrincipal.EnsureProperty(r => r.RoleDefinitionBindings).FirstOrDefault(b => b.Name == roleAssignment.RoleDefinition);
if (binding != null)
{
assignmentForPrincipal.DeleteObject();
web.Context.ExecuteQueryRetry();
break;
}
}
}
}
}
}
}
return(parser);
}
