Mystery Access Denied Troubleshooting in SharePoint

Problem

In a MOSS 2007 installation we have a site with a wiki library. The wiki library has been customized a bit with event handlers to do some fancy automatic permission assignments to individual wiki pages and prevent some users from approving wiki pages that they are not allowed to. This was done so that every user is able to add, read, edit wiki pages but let individual identified users handle the approval of the pages in a large wiki library. These details are probably inconsequential.

The real problem is there is a single user who can can read, add, and edit wiki pages. He is also assigned to approve some wiki pages. However, when he attempts to view the history of a wiki page for approval he gets an access denied error. The history page for a wiki page in a wiki library is an application page (in _layouts directory) with the following path: http://<path to sharepoint site>/_layouts/VersionDiff.aspx?ListID=<my wiki library id>&ID=<id for the wiki page>&Source=<return path>

The user also experiences this error when clicking the link to view incoming links. The path for this page is: http://<path to sharepoint site>/_layouts/BackLinks.aspx?ListID=<my wiki library id>&ID=<id for the wiki page>

This user has the following permissions being applied:

  • Site Permissions – Limited Access
  • List Permissions – Limited Access
  • Item Permissions – Design

This user is also part of a domain group which has the following permissions being applied:

  • Site Permissions – Limited Access
  • List Permissions – Contribute
  • Item Permissions – Contribute

Solution

I started a thread in the TechNet SharePoint forum in hopes of finding someone who has run into this problem before. Thanks to the folks in the forums, there were a few suggestions on how to resolve the problem. Unfortunately, I didn’t have the opportunity to try most of these. But here are the suggestions:

  • Delete the user from the SharePoint site and re-add the user and re-apply permissions.
  • Recreate the AD account
  • Assign a higher level privillege to a parent object (This is the band aid that I applied which resolved the problem)

Leave a Reply