Menu
I am using the following rest end point while trying to get permission levels for a particular file/document.
https://<web url>/_api/Web/GetFileByServerRelativeUrl('<path to the file>')/getlimitedwebpartmanager(scope=1 or 0)
I am able to get hold of the file successfully. But how should I get hold of the permission levels now?
509
In this example, we have created an HTML form which has a textbox and a submit button. The user can give a folder name in the textbox and click on submit. On successful creation of the folder inside the document library, it will show a successful message.
What I do to get the permission levels is by using the "$expand" query parameter equal to "ListItemAllFields/RoleAssignments/XXXX" where XXXX is Member, RoleDefinitionBindings, and so forth expanding out the chain as far as I need to get the user and permission level info that I need. For example,
.../GetFileByServerRelativeUrl('')?$expand=ListItemAllFields/RoleAssignments/Member,ListItemAllFields/RoleAssignments/RoleDefinitionBindings,ListItemAllFields/RoleAssignments/Member/Users
It took a lot of web searching to figure out that the "$expand" query parameter even existed but it's very useful to get all the info needed in one GET. I subsequently add a "$select" parameter to the query to filter out just the pieces that my application uses.
Edit: Also look at Radu's question and my follow-up answer below. The answer to the question depends on what you're trying to accomplish. To quote part of my answer:
If you're dredging for all permissions had by all users, use my approach. However, you'll need sufficient rights to get that information. If you want to know the base permissions of the user you're using to make the request, use his approach. I have both use cases in my work so I, in fact, do both.
131
The accepted solution didn't work for me. It seems that a user doesn't by default have permission to see RoleAssignments. But here's what I ended up doing.
I grabbed the effectiveBasePermissions by getting a response from /_api/web/getFileByServerRelativeUrl('my/relative/path')/ListItemAllFields/effectiveBasePermissions
I think this works for any item/folder in sharepoint by appending the /ListItemAllFields/effectiveBasePermissions to the url)
So, this returns the permission that the current user has for that file/item. The Permissions "object" is a set of 35 flags which are encoded in 64 bits (not all 64 bits are used - only 35). And these bits are provided by the endpoint as two integers (32 bits each) named:
Now, to see if the user has, for instance, editing permissions on that file, we need to look at the corresponding bit in this Low-High sequence. You can find what each bit in the sequence means, below:
ViewListItems = 1,
AddListItems = 2,
EditListItems = 3,
DeleteListItems = 4,
ApproveItems = 5,
OpenItems = 6,
ViewVersions = 7,
DeleteVersions = 8,
CancelCheckout = 9,
ManagePersonalViews = 10,
ManageLists = 12,
ViewFormPages = 13,
AnonymousSearchAccessList = 14,
Open = 17,
ViewPages = 18,
AddAndCustomizePages = 19,
ApplyThemeAndBorder = 20,
ApplyStyleSheets = 21,
ViewUsageData = 22,
CreateSSCSite = 23,
ManageSubwebs = 24,
CreateGroups = 25,
ManagePermissions = 26,
BrowseDirectories = 27,
BrowseUserInfo = 28,
AddDelPrivateWebParts = 29,
UpdatePersonalWebParts = 30,
ManageWeb = 31,
AnonymousSearchAccessWebLists = 32,
UseClientIntegration = 37,
UseRemoteAPIs = 38,
ManageAlerts = 39,
CreateAlerts = 40,
EditMyUserInfo = 41,
EnumeratePermissions = 63
As you can see, some bits don't mean anything (like bit 11, 33, 34 etc) So, we need to look at bit number 3 (for editing) from the first 32 bits to tell if user can edit this file/item/folder. We can just ignore the High bits. We must make a bitwise comparison with the integer which in binary format has only the 3rd bit set to 1 (the rest being 0). In this case this is 100 (this is the binary representation of 4). There is a formula for this, actually: binaryNr = 2^(bitIndex - 1). For our example, bitIndex is 3. Now that we have the binaryNr we use it as a mask to find out if the third bit in the low sequence is 0 or 1:
hasEditingPermission = (binaryNr | LowSequence) == LowSequence
and here's a handy pseudocode function for the whole thing (^ is the power operator):
function hasPermission (low, high, bitIndex){
var sequence = low;
if (bitIndex >= 32){
sequence = high;
bit -= 32;
}
return ((2^(bitIndex - 1)) | sequence) == sequence
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
