getCurrentUserEffectivePermissions Access Denied for user with read access

[c-eiser13]

Category

• Enhancement
• Bug
• Question
• Documentation gap/issue

Version

Please specify what version of the library you are using: [ 1.2.1 ]

Expected / Desired Behavior / Question

I am trying to use the above function against a list to get users permissions, then check if they have AddItems rights with the hasPermissions function. I am testing with a user that has read access to a site, including the list I am checking against, and I get:

"Error making HttpClient request in queryable: [403] ::> {"responseBody":{"error":{"code":"-2147024891, System.UnauthorizedAccessException","message":{"lang":"en-US","value":"Access denied. You do not have permission to perform this action or access this resource."}}},"responseHeaders":{}}"

My function call looks like this:

const web = new Web(webUrl);
return new Promise((resolve, reject) => {
web.lists.getByTitle(listTitle).getCurrentUserEffectivePermissions()
.then(res => {
if(web.hasPermissions(res, PermissionKind.AddListItems)){
resolve(true);
}
else{
resolve(false);
}
})
.catch(e =>{
console.log(e);
reject(e)
})
})

I've tried the same against the web instead of the list and get the same result. Increasing the test user to edit results in same error, but giving him full control makes it work. Should I be able to use this function with a user that has only read access? I am converting an older app that was making a call to /EffectiveBasePermissions and this was working, I have not tried it in the newer app because I'd like to use this library to make the call. Thanks!

[patrick-rodgers]

I am not sure, but the fact that if you increase permissions and the call works makes me think this is permission related and not an issue with the library. What version of SharePoint?

[c-eiser13]

I am running this in SPO. I've changed my initial call to /_api/web/lists/getbytitle('" + listTitle + "')/EffectiveBasePermissions with the same user and that succeeds.

[patrick-rodgers]

interesting, we'll have a look but this might just be some weirdness with the API.

[c-eiser13]

Thanks @patrick-rodgers , I just switched my code back to the original that I posted and it is working this morning. I may just stick with /EffectiveBasePermissions, then I am able to use hasPermissions to check that response against the permission I am looking for.

[patrick-rodgers]

Circling back to this, do I understand correctly that things are working now? If so I can close the issue, if not we do want to investigate. Thanks!

[koltyakov]

Hi guys,

getCurrentUserEffectivePermissions and currentUserHasPermissions currently works only for admins or users with a specific level of permissions to an object (manage or even full - not sure here, need to check).
That's because under the cover the method uses getUserEffectivePermissions(@user) which is not allowed (blocked by the API) for low permissions users even while checking base permissions for themselves.

Item's and list's effectiveBasePermissions or .select('EffectiveBasePermissions') should be allowed for any user having at least read permissions, and probably getCurrentUserEffectivePermissions's internals can be switched to one of them. But, if I'm not wrong there are some nuances for external users and getting incorrect base permissions from the API.

Looped with the problem on one of the projects, going to conduct some experiments and come back here with more specific findings.

UPD:

It's something deeper as I have getCurrentUserEffectivePermissions working for a user having read-only permissions on a tenant. But I sure it failed before for me in On-Prem and SPO.

UPD2:

Checked this in SPO and SP2016:

list.getCurrentUserEffectivePermissions().then(console.log);
list.effectiveBasePermissions.get().then(console.log);
list.select('EffectiveBasePermissions').get().then(console.log);

item.getCurrentUserEffectivePermissions().then(console.log);
item.effectiveBasePermissions.get().then(console.log);
item.select('EffectiveBasePermissions').get().then(console.log);

and it works for ordinary users with read-only permissions as well as external. Maybe it was SP2013 where getCurrentUserEffectivePermissions failed. I'm confused a bit.

[c-eiser13]

Thanks for the follow up. Currently I am working around the issue by calling:
/_api/web/lists/getbytitle('" + listTitle + "')/EffectiveBasePermissions
This is working with a read-only user. Then I am able to pass the response from above to web.hasPermissions.

Based on your update above, I saw this happen as well where it gave me an error one morning and then worked sporadically another morning in the same tenant. I've been attempting to use this in SPO.

[patrick-rodgers]

Based on your commends and @koltyakov 's work I am going to close this as just being how the service works. Thanks!

[bogeorge]

I am running this in SPO. I've changed my initial call to /_api/web/lists/getbytitle('" + listTitle + "')/EffectiveBasePermissions with the same user and that succeeds.

Thanks @c-eiser13! Your solution saved me today. I'd been fighting with 403's for "normal" not admin users and switched my code to your approach and it seems to be working perfectly now.

[paulryan]

@patrick-rodgers Hi - this is still an issue, and it has a very simple fix (which I have tested). This fix avoids the 403 errors experienced sporadically by low-privileged users, and improves performance for all users.
sharepointqueryablesecurable.ts

[koltyakov]

Hi @paulryan, thanks for adding this enhancement! It's pushed withing a PR.

[paulryan]

Thank you @koltyakov for creating the PR, much appreciated.

[paulryan]

Hi @koltyakov, having migrated to v2, I've noticed that this change didn't make it across. It would be great to have the pull request that resolved this cherry-picked to v2! Thanks.
@patrick-rodgers

[koltyakov]

Thanks for letting us know and sorry we missed something moving to v2. Reopening to align/cherry-pick the fix.

[koltyakov]

Created a PR with a cherry-pick, so the fix will land to the upcoming version. Closing the issue as won't forget about it now.

[paulryan]

@koltyakov wow so efficient!! Great thanks.

[dennyregehr]

Thanks for updating 2.0.4 and for all the conversation here - I was starting to freak out!

[github-actions]

This issue is locked for inactivity or age. If you have a related issue please open a new issue and reference this one. Closed issues are not tracked.