only an administrator account can use it.

Mar 25, 2009 at 8:06 PM
When logged with other user, from visitors to site collection admin I got an access deny error when creating item on a list using the filtered lookup...

When logged with the admin (the account that install the WSP) there is no problem.

thanks in advance.
Coordinator
Mar 26, 2009 at 12:50 AM
It would be most useful if you could provide more information on the the error message you get, when it occurs, etc.

Regards,

Raphael.
Mar 26, 2009 at 1:24 AM
Well... it's as I said. I tried on 2 systems. with the admin account, the one I used to install the wsp, I'm able to configure the lookup on a list and make it work... When i tried with another user, I cannot create/open/edit an item on a list that is using the lookup... i got the typical 'Error: access denied - sign in as a different user' when hitting the new/view/edit button ...
I tried with different user from different group within sharepoint and the problem still the same...

my two systems are up to date with all service pack and microsoft update on sharepoint 2007 and .net 3.5. One on MOSS ent. and the other on WSS.

Thanks again.

Coordinator
Mar 26, 2009 at 2:28 AM
Edited Mar 26, 2009 at 2:46 AM
Great, thanks for that; I'll investigate further and, in the meantime, capture it as an issue.

A quick one though; people with "visitors" permission don't normally have add/edit item permissions. The user will need to have permissions to add/edit items in the specific list. You may need to establish that the lists you'd looked at don't have unique permission settings (i.e. they actually inherit permission settings from their respective parent sites). I'll look into this one.

Regards.
Mar 27, 2009 at 4:27 PM
Seems to me that all that needs to be done to resolve this is not to use parentSite.AllWebs - in FieldControl.Initialize(), and use parentSite.OpenWeb instead. Accessing AllWebs automatically needs admin rights.
Apr 14, 2009 at 6:41 PM
I had this field installed on our test SharePoint site.

I have set myself up with full rights for site permissions and on the list.

However, when I try to create a new filteredlookup column on the list, I get 'Error: Access Denied'.
I have the ability to add any other field and can add / edit / delete any item from the list.

Is there anything else I can check to see why this is not working?

Thanks.
Coordinator
Apr 15, 2009 at 8:57 AM
It appears to me that you simply cannot create a new filtered lookup column, irrespective of your permissions or roles.

If that's true, the issue you are experiencing isn't "only administrator account can use it"; even the admin account didn't work for you, right?

What you probably should be looking at is if you've got access to the source site, or source list you'd selected.

Also, are using a list view filter or a query filter? I'd suggest you first attempt to use a list view filter and the "Title" column, just to keep it simple at first and eliminate possible causes of the issue.

Please let me know how you get on.

Regards,

Raphael.
Jun 5, 2009 at 6:39 PM

I can confirm that this issue still exists even in the newer version (June 2). Even if a user who has full admin rights for the site gets prompted to login as a user who has site admin rights. Sounds like a simple perms issue - any guesses where that might be?

 

- Donald

Jun 5, 2009 at 7:31 PM

I had some time to look further - if the user attempting to add the filtered lookup field isn't a site collection admin, they get a permission denied error when they check the radio button for the field. Being an admin on the SP server (Windows admin) or being a farm admin does not make any difference - the user must have the site collection admin rights for it to work.

Hope this helps. Seems like a great addin - can't wait till I can use it.

- Donald

Coordinator
Jun 7, 2009 at 2:42 PM

I should quickly add that you do not need to be a "Site Collection Admin" to add the filtered lookup field to a list; rather you need to have the appropriate permissions that allow you to add, update, delete, approve, and customize.

 

Thus, the minimum permission required to be able to add a new column to a list or modify the settings of a list is Design and the mimimum permission required to be able to add a new item to a list is "Contribute". These permissions are standard and apply to all lists/libraries where these actions are (or need to be) performed.

 

Regards,

Raphael.

Jun 8, 2009 at 2:26 PM
Edited Jun 8, 2009 at 2:37 PM

Raphael,

I believe you may be misunderstanding the issue - I know that design rights are required to create new columns on a list. What I am trying to state is that after installing the solution, no user on my system can create a filtered lookup column, even those with list 'Full Control' rights and even site Admin rights UNLESS they are also in the site collection admin group. I've tried this with multiple user accounts, all get a permission denied screen when they attempt to select the radio button for the filtered lookup.

If you would like, I can send you a screencap video of the error. Rest assured I checked all the obvious - I've been working with MOSS since it was released. I think kerray was on to something - check his post above.

 

- Donald

Coordinator
Jun 9, 2009 at 8:39 PM
Edited Jun 9, 2009 at 8:40 PM

Thanks Donald, I'll keep an eye out for this as things evolve.

 

Regards,

 

Raphael.

Jun 18, 2009 at 2:51 PM

I am having the same issue.

I can use the filtered lookup column as a site collection admin, but anyone else who has full control over the list (but not site collection admin) gets access denied as soon as they choose this column type.

Jun 30, 2009 at 8:15 AM

Hi, friends

I see that I'm not alone with filtered lookup problems.

I've downloaded solution for filtered lookup, instaled it succesfully for all sites and..... can't deploy. When I add to the list new field with filtered lookup, pages for edit or new item fild display this filed in non-editing mode. All the other fields are displyed normaly - in edit mode. There is only a label and nothing more. I can't park on the field and choose any option. It looks like be in "display mode". I'm logged as an site administrator and have all priviliges. For the beggining I've choose "Applay list view filter".

Is it possible that language settings are incorrect? But, view months ago I've downloaded 20 Templates from Microsoft and they run properly.

Best regards and I'm hopping to get solutions from you.

Aug 19, 2009 at 9:14 AM
Edited Aug 19, 2009 at 9:24 AM

Hi Raphael,

I had the same experience, only members of the "Site Collection Administrators" are able to add a Filtered Lookup field to a list. If you have Full Control on the list where you want to add a filtered lookup column and want to lookup to a list in another site (also with full controll), you get a access denied issue. You don't have that issue when your lookup remains in the same site.

I did some debugging for users who have full controll but who don't belong to the "Site Collection Administrators) and I ran against 2 issues, both in the FiltertedLookupFieldEditor class.

1. SetTargetWeb()
You hit to an access denie when you get to the line "foreach (SPWeb web in _webCollection)".

It seems if you are not a Site Collection Administrator, you don't have access to "SPWebCollection _webCollection = _site.AllWebs;" which results in an exception.
I was able to get around this by using
SPSecurity.RunWithElevatedPrivileges(delegate()
{
     SPWebCollection _webCollection = _site.AllWebs;
     string contextWebId = SPControl.GetContextWeb(this.Context).ID.ToString();
     ...
})
Of course now the code acts as a system admin and you will get all sites, even those ones where you don't have access.

2. OnSaveChange(SPField field, bool isNewField)
I don't have all knowledge on SharePoint but this function seems mandatory for the Usercontrol, IFieldEditor base class.
In here we have the same "access denied" issue.
Now it occurs on _f.LookupWebId = _web.ID

I thought I could solve it in the manner as above but it didn't.
The issue is now not related to the _Web.ID which I could retrieve perfectly by using SPSecurity.RunWithElevatedPrivileges(delegate() {});
The issue is now related to the field (_f) which is passed to the function and which does not have sufficient rights to allow a change of it's attributes.
You need to be a Site Collection Administrator to be able to do this.
Unfortunately, I don't see a way to modify this functionality so that the field is passed to the function with suffifient rights to modify it.

I hope this can help you to simulate it and take a closer look at it.
I'm afraid that it won't be easy to solve this issue, it's probably a core SharePoint issue/bug.

So for now, your Filtered Lookup Field is a great help for me, unfortunately the users who design sites/lists need to be Site Collection Administrators to be able to use it.

Regards,

Filip

Oct 7, 2009 at 11:20 PM

Hi guys, I'm having the same error. Only users in the Site Collection Administrators can use it. I tried whith a user in the Owners (Full Control) group, but it keeps sending the Deny access error. any solution?

Oct 20, 2009 at 7:38 PM

Any solutions for this or is everyone still in the same boat?  Didn't want to install it if it is not working for users with contribute rights to a site.

Oct 20, 2009 at 10:09 PM

The solution I pasted earlier in this thread doesn't work?

kerray wrote:
Seems to me that all that needs to be done to resolve this is not to use parentSite.AllWebs - in FieldControl.Initialize(), and use parentSite.OpenWeb instead. Accessing AllWebs automatically needs admin rights.

 

Oct 21, 2009 at 2:34 PM
kerray wrote:

The solution I pasted earlier in this thread doesn't work?

kerray wrote:
Seems to me that all that needs to be done to resolve this is not to use parentSite.AllWebs - in FieldControl.Initialize(), and use parentSite.OpenWeb instead. Accessing AllWebs automatically needs admin rights.

 

 Was this directed to me?  If so, are you saying to open up the source code and do a find/replace on AllWebs, changing it to OpenWeb?

 

Has anyone tried this and verified that it fixes the problem?

Oct 21, 2009 at 3:12 PM
Edited Oct 21, 2009 at 3:15 PM

I checked current source code and it seems that what I suggested was already incorporated (at least partly). However, in FilteredLookupFieldEditor.cs, traces still remain - all instances of

using (SPWeb _web = _site.AllWebs[new Guid(listTargetWeb.SelectedItem.Value)])

should be simply corrected to

using (SPWeb _web = _site.OpenWeb(new Guid(listTargetWeb.SelectedItem.Value))

 

However, the line in FilteredLookupFieldEditor.cs in SetTargetWeb()

 

SPWebCollection _webCollection = _site.AllWebs;

 

is a different matter. Sadly, following easy solution doesn't seem to work well enough

SPWebCollection _webCollection = _site.OpenWeb().GetSubwebsForCurrentUser();

 

Update, I can see fdendauw already wrote all this...

Oct 21, 2009 at 3:58 PM

OK, this seems to be the solution, at least in principle. Go through all webs, and save guids of those which the user can open. Then use these to fill the dropdown.

Change the starting block of SetTargetWeb() to this:

      listTargetWeb.Items.Clear();
      List<ListItem> str = new List<ListItem>();

      using (SPSite _site = SPControl.GetContextSite(this.Context)) {
        Guid[] webguids = Tools.FindWebsForUser(_site.OpenWeb(), SPContext.Current.Web.CurrentUser);
        string contextWebId = SPControl.GetContextWeb(this.Context).ID.ToString();
        
        foreach (Guid guid in webguids) {
            using (SPWeb subweb = _site.OpenWeb(guid))
            {
                if (subweb.DoesUserHavePermissions(
                  SPBasePermissions.ViewPages | SPBasePermissions.OpenItems | SPBasePermissions.ViewListItems))
                {
                    str.Add(new ListItem(subweb.Title, subweb.ID.ToString()));
                }
            }
        } // the rest of the function after line 87 is unchanged 

And include these functions in the FilteredLookupFieldEditor class

private bool PrincipalHasPermissions(ISecurableObject item, SPPrincipal principal, SPBasePermissions permissions)
{
    SPRoleAssignment roleAssignment = null;
    try
    {
        roleAssignment = item.RoleAssignments.GetAssignmentByPrincipal(principal);
    }
    catch
    {
        // this also happens for administrator, so we'll make a check for siteadmins before using this function
        return false;
    }

    foreach (SPRoleDefinition definition in roleAssignment.RoleDefinitionBindings)
    {
        if ((definition.BasePermissions & permissions) == permissions)
        {
            return true;
        }
    }

    return false;

}

private Guid[] FindWebsForUser(SPWeb topweb, SPUser user)
{
    System.Collections.ArrayList Guids = new System.Collections.ArrayList();
    try
    {
        SPSecurity.RunWithElevatedPrivileges(delegate()
        {
            using (SPSite elevatedSite = new SPSite(topweb.Site.ID, topweb.Site.SystemAccount.UserToken))
            {
                foreach (SPWeb web in elevatedSite.AllWebs)
                {
                    if (user.IsSiteAdmin || PrincipalHasPermissions(web, user, SPBasePermissions.Open))
                    {
                        Guids.Add(web.ID);
                    }
                }
            }
        });
        return (Guid[])Guids.ToArray(typeof(Guid));
    }
    catch (Exception exc)
    {
        // your logging here
        return null;
    }
}

 

 

Oct 29, 2009 at 2:26 PM

I tried to modify the code as you mentioned, but "Object reference not set to an instance of an object  " error is returned.

I have already posted this item in: http://filteredlookup.codeplex.com/WorkItem/View.aspx?WorkItemId=3338

Marco

Oct 29, 2009 at 7:30 PM

I too have the same problem as everyone else.  I'm the admin of the site.  I have full control rights to the site.  I'm not a member of the "Site Collection Administrators".

I cannot add a field of this type.

Wade-o

Oct 30, 2009 at 1:24 PM

hi guys,

at the end i succeded in making this solution work.

after having modified the code as kerray suggested, i built the solution and deployed it in my environment.

i still got the error when an user tried to use that field, so i tried to investigate inside kerray's code and i think i founded the solution.

in these lines:

{
if (subweb.DoesUserHavePermissions(
SPBasePermissions.ViewPages | SPBasePermissions.OpenItems | SPBasePermissions.ViewListItems))
{
str.Add(new ListItem(subweb.Title, subweb.ID.ToString()));
}
}

the code checks for user permissions, so you had to add the single user to the web site in which the filtered lookup field was deployed. IT DOESN'T WORK with goups!!!!

in my case i had only groups added to the web site, adding single users made it work.

is there a way to change to code to check permissions for groups instead of single users?

waiting.....

 

May 12, 2011 at 2:36 AM

This is still an issue with the latest version - it makes what would be a useful add-on far less useable than it should be - even a user with 'Full Control' of the site cannot add a field of this type - they get 'Error: Access Denied'.

Nov 19, 2011 at 6:07 AM

It seems as if this solution is not much of a solution at all. T is a much needed field for sharepoint and would be good to see an update but with no update since 2009  it would seem as if this project is dead. Does anyone know if there is a fix coming for this?