Recently we received a complain from one of our users. She has created a subscription for alerts on changes of a list, but as she decided later to cancel the subscription, she got an error (access denied). The problem was easy to reproduce, and the reason was pretty straightforward as well. Users who have permissions on a specific list, but not on the parent site of the list may be affected by this “design issue”. We faced the error on SP 2010, but as far as I see it affects MOSS 2007 (WSS 3.0) and SP 2013 users as well.
For those of you who would like to know the technical background of the issue: you can create the alert from the list ribbon via the application page SubNew.aspx, and manage them via the MySubs.aspx page, both of them are located in the _layouts folder. The code behind class for these pages are the SubNewPage and the MySubsPage classes respectively from the assembly Microsoft.SharePoint.ApplicationPages (and the same namespace). There is no security check in the OnLoad method of the SubNewPage class (nor in its base classes), however in the OnLoad method of the MySubsPage class the CheckRights method of the LayoutsPageBase class (Microsoft.SharePoint assembly, Microsoft.SharePoint.WebControls namespace ) is called. This method checks, if the current user has DefaultLayoutsRights permission (that means SPBasePermissions.EmptyMask | SPBasePermissions.ViewFormPages | SPBasePermissions.Open | SPBasePermissions.ViewPages) on the parent web, and not on the list. If not, the user is not able to manage the alerts she created earlier.
