Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to get permission levels for Files/Folders/Documents in Sharepoint using rest endpoints?

I am using the following rest end point while trying to get permission levels for a particular file/document.

https://<web url>/_api/Web/GetFileByServerRelativeUrl('<path to the file>')/getlimitedwebpartmanager(scope=1 or 0)

I am able to get hold of the file successfully. But how should I get hold of the permission levels now?

like image 509
Abhishek Bansal Avatar asked Mar 08 '14 01:03

Abhishek Bansal


People also ask

How do I add a folder to a SharePoint library using REST API?

In this example, we have created an HTML form which has a textbox and a submit button. The user can give a folder name in the textbox and click on submit. On successful creation of the folder inside the document library, it will show a successful message.


2 Answers

What I do to get the permission levels is by using the "$expand" query parameter equal to "ListItemAllFields/RoleAssignments/XXXX" where XXXX is Member, RoleDefinitionBindings, and so forth expanding out the chain as far as I need to get the user and permission level info that I need. For example,

.../GetFileByServerRelativeUrl('')?$expand=ListItemAllFields/RoleAssignments/Member,ListItemAllFields/RoleAssignments/RoleDefinitionBindings,ListItemAllFields/RoleAssignments/Member/Users

It took a lot of web searching to figure out that the "$expand" query parameter even existed but it's very useful to get all the info needed in one GET. I subsequently add a "$select" parameter to the query to filter out just the pieces that my application uses.

Edit: Also look at Radu's question and my follow-up answer below. The answer to the question depends on what you're trying to accomplish. To quote part of my answer:

If you're dredging for all permissions had by all users, use my approach. However, you'll need sufficient rights to get that information. If you want to know the base permissions of the user you're using to make the request, use his approach. I have both use cases in my work so I, in fact, do both.

like image 131
Thomas Doman Avatar answered Oct 05 '22 23:10

Thomas Doman


The accepted solution didn't work for me. It seems that a user doesn't by default have permission to see RoleAssignments. But here's what I ended up doing.

I grabbed the effectiveBasePermissions by getting a response from /_api/web/getFileByServerRelativeUrl('my/relative/path')/ListItemAllFields/effectiveBasePermissions

I think this works for any item/folder in sharepoint by appending the /ListItemAllFields/effectiveBasePermissions to the url)

So, this returns the permission that the current user has for that file/item. The Permissions "object" is a set of 35 flags which are encoded in 64 bits (not all 64 bits are used - only 35). And these bits are provided by the endpoint as two integers (32 bits each) named:

  • Low - representing the first 32 bits
  • High - the next 32 bits in sequence, up to 64

Now, to see if the user has, for instance, editing permissions on that file, we need to look at the corresponding bit in this Low-High sequence. You can find what each bit in the sequence means, below:

    ViewListItems = 1,
    AddListItems = 2,
    EditListItems = 3,
    DeleteListItems = 4,
    ApproveItems = 5,
    OpenItems = 6,
    ViewVersions = 7,
    DeleteVersions = 8,
    CancelCheckout = 9,
    ManagePersonalViews = 10,
    ManageLists = 12,
    ViewFormPages = 13,
    AnonymousSearchAccessList = 14,
    Open = 17,
    ViewPages = 18,
    AddAndCustomizePages = 19,
    ApplyThemeAndBorder = 20,
    ApplyStyleSheets = 21,
    ViewUsageData = 22,
    CreateSSCSite = 23,
    ManageSubwebs = 24,
    CreateGroups = 25,
    ManagePermissions = 26,
    BrowseDirectories = 27,
    BrowseUserInfo = 28,
    AddDelPrivateWebParts = 29,
    UpdatePersonalWebParts = 30,
    ManageWeb = 31,
    AnonymousSearchAccessWebLists = 32,
    UseClientIntegration = 37,
    UseRemoteAPIs = 38,
    ManageAlerts = 39,
    CreateAlerts = 40,
    EditMyUserInfo = 41,
    EnumeratePermissions = 63

As you can see, some bits don't mean anything (like bit 11, 33, 34 etc) So, we need to look at bit number 3 (for editing) from the first 32 bits to tell if user can edit this file/item/folder. We can just ignore the High bits. We must make a bitwise comparison with the integer which in binary format has only the 3rd bit set to 1 (the rest being 0). In this case this is 100 (this is the binary representation of 4). There is a formula for this, actually: binaryNr = 2^(bitIndex - 1). For our example, bitIndex is 3. Now that we have the binaryNr we use it as a mask to find out if the third bit in the low sequence is 0 or 1:

hasEditingPermission = (binaryNr | LowSequence) == LowSequence

and here's a handy pseudocode function for the whole thing (^ is the power operator):

function hasPermission (low, high, bitIndex){
  var sequence = low;
  if (bitIndex >= 32){
    sequence = high;
    bit -= 32;
  }
  return ((2^(bitIndex - 1)) | sequence) == sequence
}
like image 27
Radu Simionescu Avatar answered Oct 05 '22 22:10

Radu Simionescu