Bug report: spo list list command throws Access Denied

[martinlingstuyl]

Description

In certain scenario's the command spo list list throws an access denied error:

1. App Only authenticated with Sites.Manage.All scope. (It does work correct with Sites.FullControl.All)
2. With a regular user (no SharePoint admin), being a member on a site, using scope AllSites.FullControl or AllSites.Manage.

I already found the probable culprit in the code:
The code calls the REST url /_api/web/lists?$expand=RootFolder.

If I remove the $expand, the calls come through without access denieds.
If I add a $select=RootFolder/ServerRelativeUrl,* statement, the calls come through as well.

It apparently tries to expand too much for the permissions of the user/app.

The solution seems to be to add the mentioned $select statement.

Everything is returned including the necessary ServerRelativeUrl.

Steps to reproduce

Try to run m365 spo list list --webUrl someurl with the above situations.

Expected results

A list of lists is shown

Actual results

Access denied is thrown

Diagnostics

No response

CLI for Microsoft 365 version

5.3.0

nodejs version

16.15.0

Operating system (environment)

Windows

Shell

Windows PowerShell

cli doctor

{
"os": {
"platform": "win32",
"version": "Windows 10 Enterprise",
"release": "10.0.22000"
},
"cliVersion": "5.3.0",
"nodeVersion": "v16.15.0",
"cliAadAppId": "31359c7f-bd7e-475c-86db-fdb8c937548e",
"cliAadAppTenant": "common",
"authMode": "DeviceCode",
"cliEnvironment": "",
"cliConfig": {},
"roles": [],
"scopes": [
"AllSites.FullControl",
"AppCatalog.ReadWrite.All",
"AuditLog.Read.All",
"ChannelMember.ReadWrite.All",
"ChannelMessage.Read.All",
"ChannelMessage.Send",
"ChannelSettings.ReadWrite.All",
"Chat.Read",
"Chat.ReadWrite",
"Directory.AccessAsUser.All",
"Directory.ReadWrite.All",
"Group.ReadWrite.All",
"IdentityProvider.ReadWrite.All",
"Mail.ReadWrite",
"Mail.Send",
"Place.Read.All",
"Policy.Read.All",
"Reports.Read.All",
"SecurityEvents.Read.All",
"ServiceHealth.Read.All",
"ServiceMessage.Read.All",
"ServiceMessageViewpoint.Write",
"Tasks.ReadWrite",
"Team.Create",
"TeamMember.ReadWrite.All",
"TeamsApp.ReadWrite.All",
"TeamsAppInstallation.ReadWriteForUser",
"TeamSettings.ReadWrite.All",
"TeamsTab.ReadWrite.All",
"TermStore.ReadWrite.All",
"User.Invite.All",
"User.ReadWrite.All",
"profile",
"openid",
"email",
"AllSites.FullControl",
"AppCatalog.ReadWrite.All",
"AuditLog.Read.All",
"ChannelMember.ReadWrite.All",
"ChannelMessage.Read.All",
"ChannelMessage.Send",
"ChannelSettings.ReadWrite.All",
"Chat.Read",
"Chat.ReadWrite",
"Directory.AccessAsUser.All",
"Directory.ReadWrite.All",
"Group.ReadWrite.All",
"IdentityProvider.ReadWrite.All",
"Mail.ReadWrite",
"Mail.Send",
"Place.Read.All",
"Policy.Read.All",
"Reports.Read.All",
"SecurityEvents.Read.All",
"ServiceHealth.Read.All",
"ServiceMessage.Read.All",
"ServiceMessageViewpoint.Write",
"Tasks.ReadWrite",
"Team.Create",
"TeamMember.ReadWrite.All",
"TeamsApp.ReadWrite.All",
"TeamsAppInstallation.ReadWriteForUser",
"TeamSettings.ReadWrite.All",
"TeamsTab.ReadWrite.All",
"TermStore.ReadWrite.All",
"User.Invite.All",
"User.ReadWrite.All"
]
}

Additional Info

No response