Pnpjs: getCurrentUserEffectivePermissions Access Denied for user with read access

Created on 25 Sep 2018  路  17Comments  路  Source: pnp/pnpjs

Category

  • [ ] Enhancement
  • [x] Bug
  • [x] Question
  • [ ] Documentation gap/issue

Version

Please specify what version of the library you are using: [ 1.2.1 ]

Expected / Desired Behavior / Question

I am trying to use the above function against a list to get users permissions, then check if they have AddItems rights with the hasPermissions function. I am testing with a user that has read access to a site, including the list I am checking against, and I get:

"Error making HttpClient request in queryable: [403] ::> {"responseBody":{"error":{"code":"-2147024891, System.UnauthorizedAccessException","message":{"lang":"en-US","value":"Access denied. You do not have permission to perform this action or access this resource."}}},"responseHeaders":{}}"

My function call looks like this:

const web = new Web(webUrl);
return new Promise((resolve, reject) => {
web.lists.getByTitle(listTitle).getCurrentUserEffectivePermissions()
.then(res => {
if(web.hasPermissions(res, PermissionKind.AddListItems)){
resolve(true);
}
else{
resolve(false);
}
})
.catch(e =>{
console.log(e);
reject(e)
})
})

I've tried the same against the web instead of the list and get the same result. Increasing the test user to edit results in same error, but giving him full control makes it work. Should I be able to use this function with a user that has only read access? I am converting an older app that was making a call to /EffectiveBasePermissions and this was working, I have not tried it in the newer app because I'd like to use this library to make the call. Thanks!

code answered question
Source
picture c-eiser13

Most helpful comment

@patrick-rodgers Hi - this is still an issue, and it has a very simple fix (which I have tested). This fix avoids the 403 errors experienced sporadically by low-privileged users, and improves performance for all users.
sharepointqueryablesecurable.ts
image

picture paulryan on 11 Sep 2019
👍3

All 17 comments

I am not sure, but the fact that if you increase permissions and the call works makes me think this is permission related and not an issue with the library. What version of SharePoint?

patrick-rodgers picture patrick-rodgers on 26 Sep 2018

I am running this in SPO. I've changed my initial call to /_api/web/lists/getbytitle('" + listTitle + "')/EffectiveBasePermissions with the same user and that succeeds.

c-eiser13 picture c-eiser13 on 26 Sep 2018
👍1

interesting, we'll have a look but this might just be some weirdness with the API.

patrick-rodgers picture patrick-rodgers on 26 Sep 2018

Thanks @patrick-rodgers , I just switched my code back to the original that I posted and it is working this morning. I may just stick with /EffectiveBasePermissions, then I am able to use hasPermissions to check that response against the permission I am looking for.

c-eiser13 picture c-eiser13 on 26 Sep 2018

Circling back to this, do I understand correctly that things are working now? If so I can close the issue, if not we do want to investigate. Thanks!

patrick-rodgers picture patrick-rodgers on 2 Oct 2018

Hi guys,

getCurrentUserEffectivePermissions and currentUserHasPermissions currently works only for admins or users with a specific level of permissions to an object (manage or even full - not sure here, need to check).
That's because under the cover the method uses getUserEffectivePermissions(@user) which is not allowed (blocked by the API) for low permissions users even while checking base permissions for themselves.

Item's and list's effectiveBasePermissions or .select('EffectiveBasePermissions') should be allowed for any user having at least read permissions, and probably getCurrentUserEffectivePermissions's internals can be switched to one of them. But, if I'm not wrong there are some nuances for external users and getting incorrect base permissions from the API.

Looped with the problem on one of the projects, going to conduct some experiments and come back here with more specific findings.

UPD:

It's something deeper as I have getCurrentUserEffectivePermissions working for a user having read-only permissions on a tenant. But I sure it failed before for me in On-Prem and SPO.

UPD2:

Checked this in SPO and SP2016:

list.getCurrentUserEffectivePermissions().then(console.log);
list.effectiveBasePermissions.get().then(console.log);
list.select('EffectiveBasePermissions').get().then(console.log);

item.getCurrentUserEffectivePermissions().then(console.log);
item.effectiveBasePermissions.get().then(console.log);
item.select('EffectiveBasePermissions').get().then(console.log);

and it works for ordinary users with read-only permissions as well as external. Maybe it was SP2013 where getCurrentUserEffectivePermissions failed. I'm confused a bit.

koltyakov picture koltyakov on 2 Oct 2018
👍2

Thanks for the follow up. Currently I am working around the issue by calling:
/_api/web/lists/getbytitle('" + listTitle + "')/EffectiveBasePermissions
This is working with a read-only user. Then I am able to pass the response from above to web.hasPermissions.

Based on your update above, I saw this happen as well where it gave me an error one morning and then worked sporadically another morning in the same tenant. I've been attempting to use this in SPO.

c-eiser13 picture c-eiser13 on 2 Oct 2018
👍1

Based on your commends and @koltyakov 's work I am going to close this as just being how the service works. Thanks!

patrick-rodgers picture patrick-rodgers on 2 Oct 2018

I am running this in SPO. I've changed my initial call to /_api/web/lists/getbytitle('" + listTitle + "')/EffectiveBasePermissions with the same user and that succeeds.

Thanks @c-eiser13! Your solution saved me today. I'd been fighting with 403's for "normal" not admin users and switched my code to your approach and it seems to be working perfectly now.

bogeorge picture bogeorge on 22 Mar 2019

@patrick-rodgers Hi - this is still an issue, and it has a very simple fix (which I have tested). This fix avoids the 403 errors experienced sporadically by low-privileged users, and improves performance for all users.
sharepointqueryablesecurable.ts
image

paulryan picture paulryan on 11 Sep 2019
👍3

Hi @paulryan, thanks for adding this enhancement! It's pushed withing a PR.

koltyakov picture koltyakov on 11 Sep 2019
👍1

Thank you @koltyakov for creating the PR, much appreciated.

paulryan picture paulryan on 11 Sep 2019

Hi @koltyakov, having migrated to v2, I've noticed that this change didn't make it across. It would be great to have the pull request that resolved this cherry-picked to v2! Thanks.
@patrick-rodgers

paulryan picture paulryan on 27 Feb 2020
👍1

Thanks for letting us know and sorry we missed something moving to v2. Reopening to align/cherry-pick the fix.

koltyakov picture koltyakov on 27 Feb 2020

Created a PR with a cherry-pick, so the fix will land to the upcoming version. Closing the issue as won't forget about it now.

koltyakov picture koltyakov on 27 Feb 2020
👍1

@koltyakov wow so efficient!! Great thanks.

paulryan picture paulryan on 27 Feb 2020
👍1

Thanks for updating 2.0.4 and for all the conversation here - I was starting to freak out!

dennyregehr picture dennyregehr on 5 May 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ITAndy23 picture ITAndy23  路  3Comments
ahsanranjha picture ahsanranjha  路  3Comments
bogeorge picture bogeorge  路  3Comments
simonagren picture simonagren  路  3Comments
simkessy picture simkessy  路  3Comments