This repository has been archived by the owner. It is now read-only.

Access denied while getting permissions for list item #654

Closed
DenisChimbor opened this Issue Dec 4, 2017 · 6 comments

Comments

Projects
None yet
2 participants
@DenisChimbor
Copy link

DenisChimbor commented Dec 4, 2017

Category

[ ] Enhancement

[X] Bug

[ ] Question

Version

[3.0.1]

Expected / Desired Behavior / Question

I'm trying to get item permissions for current user in SharePoint provider-hosted add-in. But sometimes (one or two time a week) I got access denied.

Steps to Reproduce

I have a SharePoint provider-hosted add-in installed in SharePoint Online. It has the following permissions:

Scope Permissions
Tenant  Manage
Web  Write 
User Profiles (Social)  Write
Search  QueryAsUserIgnoreAppPrincipal

I logged in under tenant administrator
To get current user permissions I do the following:

pnp.sp.crossDomainWeb("https://test-11a37d60dc8ec2.sharepoint.com/sites/apps/TestAddIn","https://test.sharepoint.com/sites/testsite")
    .lists
    .getByTitle("Test Pages")
    .items
    .getById(1)
    .getUserEffectivePermissions("i:0#.f|membership|admin@test.onmicrosoft.com")

Request URL:

https://test-384cb0e2393687.sharepoint.com/sites/appCatalog/TestAddIn/_api/SP.AppContextSite(@target)/web/lists/getByTitle('Test%20Pages')/items(1)/getUserEffectivePermissions(@user)?@target=%27https%3A%2F%2Ftest.sharepoint.com%2Fsites%2Ftestsite%27&@user=%27i%3A0%23.f%7Cmembership%7Cadmin%40test.onmicrosoft.com%27

Response:

{
  "error": {
    "code":"-2147024891, System.UnauthorizedAccessException",
    "message": {
      "lang":"en-US",
      "value":"Access denied. You do not have permission to perform this action or access this resource."
    }
  }
}
  1. In SharePoint Online I can't find any dependencies, when it is happened.
  2. In SharePoint 2016 it happens around first 20 minutes after creating new site collection.
  3. If I replace /getUserEffectivePermissions(@user) with /EffectiveBasePermissions in request URL it works.

Thanks!

@koltyakov

This comment has been minimized.

Copy link
Collaborator

koltyakov commented Dec 4, 2017

Hey Denis,

Looks like it's not a bug in the library, but something more related to SP API and Add-Ins.
Do you have a chance to check if the same raw REST request fails under the same circumstances?
Btw, /EffectiveBasePermissions endpoint is implemented in the library item.effectiveBasePermissions().

@DenisChimbor

This comment has been minimized.

Copy link

DenisChimbor commented Dec 4, 2017

Thank you for quick response!
Yes, raw REST request also fails.
I tried to use item.effectiveBasePermissions and it works, but it returns different values for the same item.

/getUserEffectivePermissions(@user):

<d:GetUserEffectivePermissions m:type="SP.BasePermissions" xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices" xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata" xmlns:georss="http://www.georss.org/georss" xmlns:gml="http://www.opengis.net/gml">
<d:High m:type="Edm.Int64">2147483647</d:High>
<d:Low m:type="Edm.Int64">4294967295</d:Low>
</d:GetUserEffectivePermissions>

/EffectiveBasePermissions:

<d:EffectiveBasePermissions m:type="SP.BasePermissions" xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices" xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata" xmlns:georss="http://www.georss.org/georss" xmlns:gml="http://www.opengis.net/gml">
<d:High m:type="Edm.Int64">176</d:High>
<d:Low m:type="Edm.Int64">1006834415</d:Low>
</d:EffectiveBasePermissions>
  1. Do you have API for web /EffectiveBasePermissions endpoint?
  2. Do you have API to correctly parse values, that returned from /EffectiveBasePermissions endpoint?
@koltyakov

This comment has been minimized.

Copy link
Collaborator

koltyakov commented Dec 4, 2017

  1. Yes, this endpoint is implemented. Usage example:
pnp.sp.web.lists.getByTitle('List_Title')
  .items.getById(1)
  .effectiveBasePermissions
  .get().then(console.log)

image

  1. Do you mean the values of High/Low which are returned?
    Here PnP JS Core just returns results from the REST API.
@DenisChimbor

This comment has been minimized.

Copy link

DenisChimbor commented Dec 4, 2017

  1. Sorry, I mean API to get web permissions (not list item permissions) using /EffectiveBasePermissions endpoint.
  2. Yes, I mean High/Low values. I was surprised to see different High/Low values for the same item.
\ EffectiveBasePermissions getUserEffectivePermissions(@user)
High 176 2147483647
Low 1006834415 4294967295

I try to understand what values are correct and how to parse it in both cases. That is why I asked may be you already handle such situation in your library. Thank you! This question anyway not related to PnP library.

@koltyakov

This comment has been minimized.

Copy link
Collaborator

koltyakov commented Dec 4, 2017

  1. Currently no:
pnp.sp.web.getCurrentUserEffectivePermissions().then(console.log);

Requests for /_api/web/getUserEffectivePermissions(@user).

Though, not an issue to add. Actually, I did a PR. Next release planned date is 18th of December if I'm not wrong.

  1. I also surprised with this. I assume that ACL is calculating with some background activity when you experience this.

E.g. I have the same values:

image

@DenisChimbor

This comment has been minimized.

Copy link

DenisChimbor commented Dec 4, 2017

I found, that this behaviour can be reproduced only in add-in.

\ _api/SP.AppContextSite(@target)/web/getUserEffectivePermissions(@user) _api/SP.AppContextSite(@target)/web/EffectiveBasePermissions _api/web/EffectiveBasePermissions _api/web/getUserEffectivePermissions(@user)
High 2147483647 176 2147483647 2147483647
Low 4294967295 1006834415 4294967295 4294967295

Thank you for PR! I've closed the issue, because it is not related to PnP.
I'll continue working with it and let you know, if find something new.

P.S.
My add-in installed on app catalog and I try to get permissions for another site collection.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.