permissions problem with UpdateListItems

Feb 28, 2012 at 4:41 PM

Greetings. I've written code to check-in/check-out list items. It works great with administrators, but any other permissions level has trouble, a 401 unauthorized error with UpdateListItems on "_vti_bin/lists.asmx" for the site. I've confirmed that the users can view the "_vti_bin/lists.asmx" web service.

Here is my code:

    //declare variables used for check-in/check-out.
  var varName;
  var varChecked;
  var varID
  var varQueryStringVals;
  //Check who has checked out the item
  function getCheckOutPerson (){
$().SPServices({
    operation: "GetListItems",
    async: false,
    listName: "Communications Services Request Form",
    CAMLQuery: "<Query><Where><Eq><FieldRef Name='ID' /><Value Type='Number'>" + varID + "</Value></Eq></Where></Query>",
    completefunc: function (xData, Status) {
      $(xData.responseXML).SPFilterNode("z:row").each(function() {
        varChecked = $(this).attr("ows_CheckedOutTo");
      });
    }
  });
  };

$(document).ready(function() {
//Check-in if edits cancelled
    $("#cancelBtn").click(function(){
	  //Check in edited item.
	  if (varName == varChecked){
	$().SPServices({
        operation: "UpdateListItems",
        async: false,
        debug: true,
        listName: "Communications Services Request Form",
		ID: varID,
        valuepairs: [["CheckedOutTo", ""]],
        completefunc: function(xData, Status) {}
    });
	};
	});
 //get current user 
  varName = $().SPServices.SPGetCurrentUser({
	fieldName: "Title",
	debug: false
});
//get current list item ID
varQueryStringVals = $().SPServices.SPGetQueryString();
varID = varQueryStringVals["ID"];
     //get checked out name
  getCheckOutPerson();
  // item checked in or checked out by current user?
    if (varChecked == undefined || varName == varChecked){
//check out item
	$().SPServices({
        operation: "UpdateListItems",
        async: false,
        debug: true,
        listName: "Communications Services Request Form",
		ID: varID,
        valuepairs: [["CheckedOutTo", varName]],
        completefunc: function(xData, Status) {
        }
    });
};
//checked out message
if (varChecked != undefined && varName != varChecked) {
alert ("You cannot edit this item. It is check out by " + varChecked +".");
history.back();
}; 
//Display 'checked out to' in dispitem.aspx
getCheckOutPerson();
  if ($('.CheckedOut').text('')) {
    $('.CheckedOut').append(varChecked);
  }
  });

 function PreSaveAction() {
 if (varName != varChecked){
alert ("You cannot make changes to this item. It it checked out to " + varChecked);
return false;
};
		//Check in edited item.
	$().SPServices({
        operation: "UpdateListItems",
        async: false,
        debug: true,
        listName: "Communications Services Request Form",
		ID: varID,
        valuepairs: [["CheckedOutTo", ""]],
        completefunc: function(xData, Status) {}
    });
    return true;
 };


Mar 1, 2012 at 3:42 PM

Turns out this had nothing to do with anything I posted there. The permissions hierarchy is messed up, so read permissions are being given to users for a higher site when I try to give them contribute permissions at the list level and the list level permissions are being ignored.

Coordinator
Mar 1, 2012 at 4:17 PM

Permissions are always a rat's nest, eh?

The Web Services fully respect the user's permissions, so the first thing to check is the permissions themselves.

M.

Aug 15, 2012 at 8:42 PM
Edited Aug 15, 2012 at 9:22 PM

Ok. So I'm back to this issue and have not solved it.

I tried the this fix to no avail (http://mossipqueen.wordpress.com/2009/04/14/401-unauthorised-when-calling-sharepoint-web-services/)

UPDATES:

  • the UpdateListItems gives a 401 unauthorized error for users that do not have editing rights on the site under which the list exists, even though they can edit list items.
  • Only the UpdateListItems call to the lists.asmx web service is throwing the error.
  • Users that have adequate permissions at the site level where the list exists don't get the error, it's only when I've given them higher permissions on the list, than on the site (so general users)
  • If I'm logged in as a general user I can navigate to the lists.asmx service with no errors

So, now I don't know if I'm seeing a limitation of SPservices, if my site's permissions are too messed up, or if it's something I've yet to think of.

Aug 16, 2012 at 3:15 PM

Are user's trying to check in items checked out by someone else?  They can't can do that with "Contribute" permission on the list.  As a minimum, they will need "Approve" permission for the list.  With that, they will not be checking in an item checked out by another user but rather overriding a check out by the other user.  I believe that is the same as discarding a check out (and subsequently losing any changes related to the check out).

Aug 16, 2012 at 8:16 PM

The code is such that a user can only check out something that has been checked in. If the "CheckedOutTo" filed is not blank a user can't check it out. Currently with all list permission levels users cannot check out items that are checked in, and created by themselves. The only solution is to give the user permissions on the site housing the list, which is not viable, as it would require giving everyone in our organization edit rights to the site.

Coordinator
Aug 17, 2012 at 3:17 AM

SPServices itself isn't going to be causing an issue here. When you make the Web Services calls, it's always in the context of the current user. If the current user can't do exactly the same thing through the UI, then they can't through calls to the Web Services.

M.

Aug 17, 2012 at 2:22 PM

Thanks Marc, that's part of what I was looking for confirmation on. Now my question is, why can I navigate to the lists.asmx in a browser, as the user that throws the 401 error when I'm using SPServices? So far I've not gotten anywhere on that particular question.

Coordinator
Aug 17, 2012 at 2:28 PM

Going to lists.asmx is just showing you that the Web Service exists. What you see is the Web Service definition, but you're not making any call to its operations.

M.

Aug 20, 2012 at 5:28 PM

Right. I see that now. So, here's the issue I'm encountering, more broadly. It seems that pretty much anywhere I'm using web services a user with read rights to a site, but edit rights to a list cannot access the web services properly. I cannot figure out why this would be an issue, or how to fix it. It doesn't seem to be limited to SPServices, so it's probably out of scope for this forum, but maybe someone has a last option for me to try.

Aug 20, 2012 at 8:41 PM

SOLVED (At least the web services part of things)

The visitors permissions on our site had "use remote interfaces" totally disabled, so no web services were able to be used. Enabling that lets all users check things out.

Thanks for the help Marc, it pushed me in the right direction to figure out the problem.

Coordinator
Sep 11, 2012 at 12:43 PM

Great!

M.