Checking user permissions: DoesUserHavePermissions vs. CatchAccessDeniedException

Checking user permissions DoesUserHavePermissions vs CatchAccessDeniedException

I recently had a nice discussion with a colleague about the best way to check if the current user has permissions to view a specified SharePoint list in a SP2010 site using C#.

 

 

Basically there are 2 ways to check for permissions:

1) SPSecurableObject.DoesUserHavePermissions

2) SPSecurity.CatchAccessDeniedException

This post  discusses both methods, proposes implementations and discusses the pro’s and cons.

Method 1 (DoesUserHavePermissions method) simply returns true if the current user has a specific set of permissions defined by the SPBasePermissions parameter. However, in order to enumerate permissions of a list or library the code must run with elevated privileges, which requires the instantiation of a new SPSite object and a new SPWeb object.

 public static Boolean DoesUserHavePermissions_1(this SPWeb web, String listname)
        {
            Boolean perm = false;
            SPSecurity.RunWithElevatedPrivileges(() =>
            {
                using (var elevSite = new SPSite(web.Url))
                {
                    using (var elevWeb = elevSite.OpenWeb())
                    {
                        SPList list = elevWeb.Lists[listname];
                        perm = list.DoesUserHavePermissions(web.CurrentUser,
					SPBasePermissions.ViewListItems);
                    }
                }
            });
            return perm;
        }

Method 2 (CatchAccessDeniedException method) relies on a try-catch mechanism to check the permissions.

        public static Boolean DoesUserHavePermissions_2(this SPWeb web, String listname)
        {
            Boolean catchException = SPSecurity.CatchAccessDeniedException;
            SPSecurity.CatchAccessDeniedException = false;
            try
            {
                SPList list = web.Lists[listname];
                return true;
            }
            catch (Exception)
            {
                return false;
            }
            finally
            {
                //reset the flag to original value
                SPSecurity.CatchAccessDeniedException = catchException;
            }
        }

In order to find out which of the methods described above performs best I have written a small test application. I have run both methods 200 times on list; 100 times with a user who does have permissions to view that list and 100 times with a user who isn’t able to view that same list. You can see the results in the table below.

DoesUserHavePermissions CatchAccessDeniedException
100 Runs while user has permissions 1.59 seconds 0.03 seconds
100 Runs while user doesn’t have permissions 1.55 seconds 0.81 seconds

As you can see, the CatchAccessDeniedException method is always faster than the DoesUserHavePermissions method. The extra calculation cost involved in catching an exception doesn’t outweigh the calculation cost of instantiating a new SPSite and SPWeb object.

So, whenever you need a fast and simple way of checking user permissions, use the CatchAccessDeniedException method. If you need more control over what kind of permissions to check, you can always fall back on the DoesUserHavePermissions method.

About the author

Alain

You can leave a response, or trackback from your own site.

2 Responses to “Checking user permissions: DoesUserHavePermissions vs. CatchAccessDeniedException”

  1. VIvek says:

    Very clean article. No confusions. Was searching for the solution for long time. Thank you Alain.

  2. Ravi says:

    Hi,
    How can we do tis to check if user has permissions to current website?
    DoesUserHavePermissions is very slow in my case

Leave a Reply