Thursday, 10 July 2014

Access denied error while activating “Following Content” feature

Hi All,

Its long time back again, too busy on project work and now I have long list of topics ready for sharing.

This post is related to activating “Following Content” web level feature.

Our customer reported the bug that they are getting an Access Denied error when they are trying to activate the “Following Content” feature.

We started the investigation; User who is trying to activate this feature has Site Collection Administrator rights. So this means even Site Collection Administrator couldn't activate this feature.  

So we started digging the ULS logs and found following exception related to this feature:

<nativehr>0x80070005</nativehr><nativestack></nativestack>Access is denied.

SPRequest.GetFileAndFolderProperties: UserPrincipalName=i:0).w|s-1-5-21-962155459-1177681987-1237804090-74654, AppPrincipalName= ,bstrUrl=http://<my site>/personal/<user account> ,bstrStartUrl=Social/Private/FollowedSites ,ListDocsFlags=24584 ,bThrowException=False       a0fa9d9c-f590-6094-c775-fb7648d76852
System.UnauthorizedAccessException: <nativehr>0x80070005</nativehr><nativestack></nativestack>Access is denied., StackTrace:    at Microsoft.SharePoint.SPWeb.GetFileOrFolderProperties(String strUrl, ListDocsFlags listDocsFlags, Boolean throwException, SPBasePermissions& permMask)     at Microsoft.SharePoint.SPFolder.PropertiesCore(Boolean throwException)     at Microsoft.SharePoint.SPFolder.get_Exists()     at Microsoft.Office.Server.UserProfiles.SPSocialDataStore.EnsureNamespaceExists(String ns, String scopeName, Boolean secured)     at Microsoft.Office.Server.UserProfiles.SPSocialDataStore.WriteFollowedItem(FollowedItem item, FollowedItemData data)     at Microsoft.Office.Server.UserProfiles.SPSocialDataStore.Follow(FollowedItem item, FollowedItemData data, Boolean checkLimit)     at Mic...    a0fa9d9c-f590-6094-c775-fb7648d76852
...rosoft.Office.Server.UserProfiles.FollowedContent.FollowItem(FollowedItem item, Boolean isInternal)     at Microsoft.Office.Server.UserProfiles.FollowedContent.Follow(Uri url, FollowedItemData data)     at Microsoft.SharePoint.Portal.ContentFollowingFeatureReceiver.AutoFollowWeb(SPWeb web)     at Microsoft.SharePoint.Portal.ContentFollowingFeatureReceiver.FeatureActivated(SPFeatureReceiverProperties properties)     at Microsoft.SharePoint.SPFeature.DoActivationCallout(Boolean fActivate, Boolean fForce)     at Microsoft.SharePoint.SPFeature.Activate(SPSite siteParent, SPWeb webParent, SPFeaturePropertyCollection props, SPFeatureActivateFlags activateFlags, Boolean fForce)

After digging into these logs it seems that UnauthorizedAccessException coming while accessing the Social list from my site of one of the user account. We are wondering why it goes to access the Social list of another accounts my site and not the current users my site who trying to activate the feature.

When we are logged in with account which is given in exception and trying to activate the feature, feature activated successfully. We are really wondering what is happening, actually user who have proper permissions to the web could activate the feature.

So to check what exactly happens when this feature is activated, took my best friend ILSpy help. Following is the code for FeatureActivated method

 It calls the method AutoFollowWeb(). Following is the code of this method:

UserProfile userProfile = userProfileManager.GetUserProfile(web.Author.LoginName);
       SPUserToken userToken = web.Author.UserToken;
       FollowedContent followedContent = new FollowedContent(userProfile, context, userToken)

Notice the line marked in red. It gets the object of the Author of the web means user who has created the web and not the current user who is activating the feature.

So this means that not any user except, user who has created the web (author of the web) can activate this feature.

Few takeaways:

  1. Only user who creates the web (author of the web) can activate this feature. All the other users are not able to activate this feature.
  2. Whenever “Following Content” feature is activated on any web, web is automatically followed for the author of the web. 
  3. Once feature is activated by Author of the web, then other users can follow the web. When user follows the web, one entry to Social list is made, this list is available in users my site.

 That’s all here for now


 Enjoy reading J

 Feel free to ideas / comment / feedback if any or if you have any query J


Anonymous said...

I think the use of token is for the elevation of the identity.
So that means even if you are not the user who has created the web but still you are trying to activate this feature, then all it is doing is - let you act as the web owner and activate the feature on your behalf.
So I don't think that the issue is really solved by using owner account, should be something different. not sure but just my guess.

Prasham Sabadra said...

Not actually. Here, Token is not used for elevation of the identity. Initially same thought I have but even that is not logically correct.

Because ULS logs also shows that Access Denied error of personal site of Author, even though there is elevation, entry in Social list of Owners personal site should not be get allowed. Since there AutoFollow is happening.

And if we dig further, it seems that there no were the current users instance is taken.

We test with Site Collection Administrator rights also nut it didnt work. And when we test with web Author it works fine.