In a recent case I was analyzing an interesting access denied scenario related to publishing pages.
In the specific scenario permissions were broken on the Pages library and all rights except for the site owners group were removed from the pages library. In addition permissions were broken on the publishing pages and individual permissions were granted to different groups of users on each of the publishing pages.
The result was that all users except the member of the site owners group received an access denied.
On first thought this was unexpected as the users had all the required rights on the publishing pages the users tried to access.
During the analysis I identified that the problem will occur in the following scenario:
- permission have been broken on the Pages library and on a Publishing Page
- the user accessing the page does not have read permission on the Pages Library
- minor version and moderation (content approval) is enabled on the Pages library.
The reason for the problem is that the Ribbon control contains controls which verify if minor version and moderation is enabled to see if the Schedule button should be displayed or not:
The decision whether to display the button or not is based on one additional criteria: that the Microsoft.SharePoint.Publishing.Internal.ScheduledItemEventReceiver is bound to the ItemAdded and ItemUpdated events of the Pages library as this event receiver is responsible to register the scheduling for the item.
And this check causes the problem. In order to check if these event receivers are registered it is required to read the SPList object of the pages library – and here the current user does not have rights.
In order to resolve this problem it is required to give all users read permission on the Pages library.