Fix To: SharePoint Unique Permissions Issue

I am playing a bit with SharePoint Discussion Boards these days. This post is one of my interesting findings with the Discussion Board-based on server side code solution.

One of our customers had implemented a comment-reply functionality for news article pages using discussion board and JavaScript object model.

We had a separate news center for each of the business units and chose to keep the comments for each business unit in their own discussion board. All of these discussion boards were placed in a separate site collection so that we were able to provide contribute access to individual discussion boards even to the the readers of the portal. This allowed everyone to comment on the news page that they could read. We did break the permission inheritance for each of the discussion board and provided the site collection visitors the 'Contribute' permission level.

Custom JavaScript implementation provided the user interface on news article page to comment, edit and delete a comment on the article.

We had a Content Search web part that rolled up data from these discussion boards on the respective news centers. A display template was used to link the discussion board data to the corresponding news page. This web part was displaying the latest commented articles. SharePoint out of the box 'DiscussionLastUpdated' property was used to display the time when a discussion (in turn a news article) was last commented.

We had a strange issue that the web part was not functioning as expected. When a user with full permissions to the portal commented on any news page, the web part displayed the last comment time appropriately after an incremental crawl. But whenever a reader used to comment, the time did not update after an incremental crawl. However, a full crawl would update the web part appropriately.

We investigated a lot of permutations and combinations of configuration, user access, CBS webpart Query, service account configuration etc. but did not find a solution.

They say that "every problem has a hint of a solution in it".

The discussion boards have a couple of content types:

  1. Discussion: A folder based content type, used as a container for the messages of the discussion. This represents the discussion topic and has a number of metadata properties for the discussion.
  2. Message: An item based content type represents actual messages in the discussion and messages are stored in the folders of Discussion content type.

The commenting solution was such that a separate discussion would be created for each of the news page whenever any user comments for the very first time. Technically it would create two items in the discussion board for the business unit a Discussion item and a Message item. The discussion item would have a cryptic title that would be used in CBS web part to filter the results for a specific business unit. The message item would be he comment that the user entered on the page for the first time.

The subsequent comments for that page would then be added in the same Discussion folder.

We had a setting that users can modify their own items only. And this was the catch!

The DiscussionLastUpdated property is attached to the Message content type. So, the web part was working as expected as long as the user who first commented on the page. If other users would comment the page, the DiscussionLastUpdated property would not be updated as the Discussion folder is not created by the user who is commenting and hence they are not able to modify the folder and in turn the DiscussionLastUpdated property.

Solution

We observed that web part was working as expected when we provided 'Design' permission level instead of the 'Contribute' permission level to the site collection visitors.

We wanted to give the least permission to the users and found out that it was sufficient to add the 'Manage Lists' and 'Override List Behaviors' permissions to the 'Contribute' permission level. As a best practice, we did not modify the default 'Contribute' permission level but created a copy of it and added those permissions to it.