User gets a 403 error (user has Full Control permission)

Question

We have a news system that relies on the publishing feature. It is basically the out of the box news with a few minor changes. The page contains a Page Content area. I'll give some screen shots to help make my point.

First, the page content area:

Page Content Area http://img216.imageshack.us/img216/460/pagecontentxm2.png

When you click inside the content area a toolbar is added. If you want to add an image to the content you click on the highlighted button (which this is what the user is trying to do):

Image Button http://img218.imageshack.us/img218/9786/pagecontentwithtoolbarwc9.png

Once you click on the image button a dialog appears. When the user clicks the Browse button he gets a 403 error.

Image Properties http://img218.imageshack.us/img218/3779/imagedialogxl1.png

As I said in the subject the user has Full Control permissions.

I have dug down into the IIS logs and found that this page throws the 403: /_layouts/AssetPortalBrowser.aspx

When the user clicks the browse button it is supposed to let them browse to this document library: /Information/News/PublishingImages

If you'll notice in the dialog (3rd image) the browse path is blank. If the user paste in the path to the image library the error does not happen.

Anybody have any idea how to get around this 403 error? It only happens with this one user and only started recently.

Answer 1

I recently blogged about just this subject

You need a specific set of rights to be able to browse using the AssetPortalBrowser. The tricky thing is that these rights have to be given on the site level, just giving these rights to a library is not enough. A second gotcha is that AssetPortalBrowser remembers your last browsed url. So the site you are currently adding rights to might not be the site generating the 403 error.

http://autoexe.blogspot.com/2009/03/assetportalbrowser-403-access-denied.html

Answer 2

And specifically, it's not the inheritance that makes it work - it's having read access on the library. If it does not inerit but your user still has access to it, then that library isn't the problem.

Answer 3

If it's a system library, then yes, it probably should inherit. System libraries usually have something like "this library was created by the Publishing feature" in their description.

At the least, you could write down the existing permissions and then inherit. If that doesn't fix it, you can put the old ones back - no harm, no foul.

Answer 4

A further thought: I managed to diagnose this problem by adding my test user into the Portal Owners group and then checking if the Browse works in a summary link webpart (which it did). If this same test works for you, it means that Portal Owners have access to something that the regular user does not. If this is the case, I'd check every libarary at the root level (same technique as above), looking for one that regular uses can't access.

Also, when in a summary link webpart and adding a new link, there's two Browse buttons: one goes to the page wer're dscussing here, and one goes to PortalImagePicker.aspx. Does this second button work for your user? Or are both giving 403 Forbidden?

Answer 5

Couldn't hurt. Also check the the "Site Collection Images" library, since your original error mentiones the "PublishingImages" library.

Answer 6

I had exactly this problem. After digging around and moving people between groups to see what groups were affected and what weren't, I discovered that you need to have at least "Read" access to the "Site Collection Documents" library at the root of the collection. Why this library was special and did not have inherited permissions eludes me...

As a SIte Admin, from the main Portal page: Site Settings -> Site Libraries and Lists -> Customize "Site Collection Documents". Have this library inherit permissions from its parent and all suddenly worked. Also check the "Site Collection Documents" while you're in there.

Answer 7

I am thinking that the AssetPortalBrowser.aspx is making anobject model call to try and get the data to fill out the list of files. If that is the case and the page is not getting the correct value for the file library to get the images, the page is going to try and use a default value for the list of items. If that user does not have permissions on the default location, then a 403 would possibly result.

This is all speculation, but Fiddler does not show AssetPortalBrowser.aspx requesting any other page assets.

My short experiment typing /_layouts/AssetPortalBrowser.aspx directly into my browser window was consistently defaulting to a document library. That library did not have any relation to the site browsed immediately before opening the page, so it may be storing the default URL somewhere and it may quite a different location.

Best bet is to try and track down any recent changes (i.e. reduction) to that users permissions.

Answer 8

What is the substatus code of the 403? This typically appears as the number following the 403 in the IIS log.

The following table should help pin down the root cause of this 403:

None  Access is denied. 
1 Execute access is denied.
2 Read access is denied.
3 Write access is denied.
4 SSL is required to view this resource.
5 SSL 128 is required to view this resource.
6 IP address of the client has been rejected.
7 SSL client certificate is required.
8 DNS name of the client is rejected.
9 Too many clients are trying to connect to the Web server.
10 Web server is configured to deny Execute access.
11 Password has been changed.
12 Client certificate is denied access by the server certificate mapper.
13 Client certificate has been revoked on the Web server.
14 Directory listing is denied on the Web server.
15 Client access licenses have exceeded limits on the Web server.
16 Client certificate is ill-formed or is not trusted by the Web server.
17 Client certificate has expired or is not yet valid.
18 Cannot execute requested URL in the current application pool.
19 Cannot execute CGIs for the client in this application pool.
20 Passport logon failed.

(Source: HTTP 403.x-Forbidden (IIS 6.0))

Answer 9

Try to narrow down it further:

• What happens when this user types the URL http://yoursite/_layouts/AssetPortalBrowser.aspx in the location bar of his browser?

• Is it the browser which can't access AssetPortalBrowser.aspx (= misconfig in IIS) or is AssetPortalBrowser.aspx trying to access something else (so AssetPortalBrowser.aspx is reporting the error)

Answer 10

This might be of help. Also use fiddler to see exactly what the request is when it fails.