This article is a free translation of an old post of mine written 3 years ago but always alive: what kind of Permission I must have in order to start a Sharepoint Workflow?
Here the link to original article
http://zsvipullo.blogspot.it/2014/09/sharepoint-2013-access-denied-opening.html
For eight years I've been playing at SharePoint and I go on and I'm more convinced that product developers have been looking for, as we say in Genoa, with the lanternino!
The scenario is very simple: a SharePoint 2013 solution on which users have read access to a site and, on a single list, they have contribute rights on order to add items and then start a custom Visual Studio Workflow.
By this way, user will read all lookup value lists, system lists, without having right to edit the content and, at the same time, he can use the approval workflow associated to the list on which he has contribute right.
Nothing more sensible, I can say…
Then lets configure my lists, break inheritance on my main list, add the right permissions and I try to run the workflow using a standard user.
Amazed, I get an Access Denied when from the ECB menu I try to select the Workflow item in order to show the Workflow.aspxpage.
Well, I think, probably SharePoint will check if the current user has contribute permission on the Task / History lists associate to workflow instance… I suppose…
Lets break inheritance on this 2 lists and try again.
Nothing, always Access Denied.
Into ULS I can find this log:
Permission check failed. asking for 0x4, have 0xb008431061
And then this StackTrace:
Access Denied. Exception: Attempted to perform an unauthorized operation., StackTrace:
at Microsoft.SharePoint.Utilities.SPUtility.HandleAccessDenied(Exception ex)
at Microsoft.SharePoint.SPSecurableObject.CheckPermissions(SPBasePermissions permissionMask)
at Microsoft.SharePoint.WorkflowServices.StoreSubscriptionService.EnumerateSubscriptionsByEventSource(Guid eventSourceId)
at Microsoft.SharePoint.WorkflowServices.ApplicationPages.WorkflowPage.ConstructStartArray()
at Microsoft.SharePoint.WorkflowServices.ApplicationPages.WorkflowPage.OnLoad(EventArgs e)
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest()
at System.Web.UI.Page.ProcessRequest(HttpContext context)
With a lot of patience I try to user SQL Profiler in order to understand which calls are executed on SQL Database, to understand on which list, actually, I have to give EditListItems permissions (0x4 means this) to the current user.
Nothing… Omitting the huge amount of calls to the database that SharePoint perform in order to show a page, I can’t find nothing of useful.
Last chance: using reflection on assembly behind the Workflow.aspx page.
Using my valid friend ILSpy, I open the assembly named
Microsoft.SharePoint.WorkflowServices.ApplicationPages
Navigating to the same namespace until find the WorkfloPageclass, trying to follow the logic flow thanks also to the StackTrace above.
I’ll start from OnLoad…
protected override void OnLoad(EventArgs e)
{
SPUtility.EnsureAuthentication(base.Web);
base.OnLoad(e);
string text = "Workflow_PageDescription";
string text2 = "Workflow_NoRunningWorkflows";
string text3 = "Workflow_NoCompletedWorkflows";
string text4 = "Workflow_RunningStatusSectionTitle";
string text5 = "Workflow_CompletedStatusSectionTitle";
string text6 = base.Request.QueryString["List"];
string value = base.Request.QueryString["ID"];
string text7 = base.Request.QueryString["ShowStart"];
string text8 = base.Request.QueryString["ShowStatus"];
string text9 = base.Request.QueryString["ShowAll"];
string s = base.Request.QueryString["ShowLimit"];
int rowCountLimit = 300;
this.m_fShowStart = (text7 == null || text7 != "0");
this.m_fShowStatus = (text8 == null || text8 != "0");
this.m_list = (string.IsNullOrEmpty(text6) ? null : base.Web.Lists[new Guid(text6)]);
this.m_item = ((this.m_list == null) ? null : this.m_list.GetItemById(Convert.ToInt32(value, CultureInfo.InvariantCulture)));
WorkflowServicesManager workflowServicesManager = new WorkflowServicesManager(base.Web);
if (workflowServicesManager.IsConnected)
{
this.Wf4Connected = true;
}
if (!int.TryParse(s, out rowCountLimit))
{
rowCountLimit = 300;
}
if (this.m_item != null)
{
this.m_item.CheckPermissions(SPBasePermissions.EditListItems);
this.m_item.EnsureWorkflowInformation();
base.PageTarget =
