Skip to content
This repository has been archived by the owner on Jun 18, 2019. It is now read-only.

Access denied while getting permissions for list item #654

Closed
DenisChimbor opened this issue Dec 4, 2017 · 6 comments
Closed

Access denied while getting permissions for list item #654

DenisChimbor opened this issue Dec 4, 2017 · 6 comments

Comments

@DenisChimbor
Copy link

Category

[ ] Enhancement

[X] Bug

[ ] Question

Version

[3.0.1]

Expected / Desired Behavior / Question

I'm trying to get item permissions for current user in SharePoint provider-hosted add-in. But sometimes (one or two time a week) I got access denied.

Steps to Reproduce

I have a SharePoint provider-hosted add-in installed in SharePoint Online. It has the following permissions:

Scope Permissions
Tenant  Manage
Web  Write 
User Profiles (Social)  Write
Search  QueryAsUserIgnoreAppPrincipal

I logged in under tenant administrator
To get current user permissions I do the following:

pnp.sp.crossDomainWeb("https://test-11a37d60dc8ec2.sharepoint.com/sites/apps/TestAddIn","https://test.sharepoint.com/sites/testsite")
    .lists
    .getByTitle("Test Pages")
    .items
    .getById(1)
    .getUserEffectivePermissions("i:0#.f|membership|admin@test.onmicrosoft.com")

Request URL:

https://test-384cb0e2393687.sharepoint.com/sites/appCatalog/TestAddIn/_api/SP.AppContextSite(@target)/web/lists/getByTitle('Test%20Pages')/items(1)/getUserEffectivePermissions(@user)?@target=%27https%3A%2F%2Ftest.sharepoint.com%2Fsites%2Ftestsite%27&@user=%27i%3A0%23.f%7Cmembership%7Cadmin%40test.onmicrosoft.com%27

Response:

{
  "error": {
    "code":"-2147024891, System.UnauthorizedAccessException",
    "message": {
      "lang":"en-US",
      "value":"Access denied. You do not have permission to perform this action or access this resource."
    }
  }
}
  1. In SharePoint Online I can't find any dependencies, when it is happened.
  2. In SharePoint 2016 it happens around first 20 minutes after creating new site collection.
  3. If I replace /getUserEffectivePermissions(@user) with /EffectiveBasePermissions in request URL it works.

Thanks!
@koltyakov
Copy link
Collaborator

Hey Denis,

Looks like it's not a bug in the library, but something more related to SP API and Add-Ins.
Do you have a chance to check if the same raw REST request fails under the same circumstances?
Btw, /EffectiveBasePermissions endpoint is implemented in the library item.effectiveBasePermissions().

@DenisChimbor
Copy link
Author

Thank you for quick response!
Yes, raw REST request also fails.
I tried to use item.effectiveBasePermissions and it works, but it returns different values for the same item.

/getUserEffectivePermissions(@user):

<d:GetUserEffectivePermissions m:type="SP.BasePermissions" xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices" xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata" xmlns:georss="http://www.georss.org/georss" xmlns:gml="http://www.opengis.net/gml">
<d:High m:type="Edm.Int64">2147483647</d:High>
<d:Low m:type="Edm.Int64">4294967295</d:Low>
</d:GetUserEffectivePermissions>

/EffectiveBasePermissions:

<d:EffectiveBasePermissions m:type="SP.BasePermissions" xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices" xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata" xmlns:georss="http://www.georss.org/georss" xmlns:gml="http://www.opengis.net/gml">
<d:High m:type="Edm.Int64">176</d:High>
<d:Low m:type="Edm.Int64">1006834415</d:Low>
</d:EffectiveBasePermissions>
  1. Do you have API for web /EffectiveBasePermissions endpoint?
  2. Do you have API to correctly parse values, that returned from /EffectiveBasePermissions endpoint?

@koltyakov
Copy link
Collaborator

  1. Yes, this endpoint is implemented. Usage example:
pnp.sp.web.lists.getByTitle('List_Title')
  .items.getById(1)
  .effectiveBasePermissions
  .get().then(console.log)

image

  1. Do you mean the values of High/Low which are returned?
    Here PnP JS Core just returns results from the REST API.

@DenisChimbor
Copy link
Author

  1. Sorry, I mean API to get web permissions (not list item permissions) using /EffectiveBasePermissions endpoint.
  2. Yes, I mean High/Low values. I was surprised to see different High/Low values for the same item.
\ EffectiveBasePermissions getUserEffectivePermissions(@user)
High 176 2147483647
Low 1006834415 4294967295

I try to understand what values are correct and how to parse it in both cases. That is why I asked may be you already handle such situation in your library. Thank you! This question anyway not related to PnP library.

@koltyakov koltyakov mentioned this issue Dec 4, 2017
Merged
@koltyakov
Copy link
Collaborator

  1. Currently no:
pnp.sp.web.getCurrentUserEffectivePermissions().then(console.log);

Requests for /_api/web/getUserEffectivePermissions(@user).

Though, not an issue to add. Actually, I did a PR. Next release planned date is 18th of December if I'm not wrong.

  1. I also surprised with this. I assume that ACL is calculating with some background activity when you experience this.

E.g. I have the same values:

image

@DenisChimbor
Copy link
Author

DenisChimbor commented Dec 4, 2017
edited
Loading

I found, that this behaviour can be reproduced only in add-in.

\ _api/SP.AppContextSite(@target)/web/getUserEffectivePermissions(@user) _api/SP.AppContextSite(@target)/web/EffectiveBasePermissions _api/web/EffectiveBasePermissions _api/web/getUserEffectivePermissions(@user)
High 2147483647 176 2147483647 2147483647
Low 4294967295 1006834415 4294967295 4294967295

Thank you for PR! I've closed the issue, because it is not related to PnP.
I'll continue working with it and let you know, if find something new.

P.S.
My add-in installed on app catalog and I try to get permissions for another site collection.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@DenisChimbor @koltyakov