• images
  • 7:30 am
  • images
  • No Comments.

REST API Security Trimming SharePoint 2013

REST API is a great means of interacting with data in SharePoint 2013 on-premise and online.  It was introduced in SP2010 and is greatly enhanced in SP2013. However, the results in REST queries are not always security trimmed.

Let us consider a simple scenario : We want to display the list of subsites which are accessible to the logged in user using Javascript. A normal REST query for this scenario will be like this –

http://site/_api/web/webs/?$select=title

However, to your surprise you will find that the results returned by this query are not security trimmed. In other words, it will display all the subsites irrespective of whether the user can access it or not. This requirement can be done using Client object model. But what if you want to access data from a different site collection? CSOM will not help in that case. We have to use REST for that scenario. So, how do we proceed ?

Fortunately, there is a way. Simply use the following query :

http://site/_api/web/webs/?$select=title,effectivebasepermissions&$filter=effectivebasepermissions/high%20gt%2032

This query will only return the list of subsites which are accessible to current user :-).

Explanation :

As you can see, the trick is the filter “effectivebasepermissions” which filters the results. If you are curious about the number 32, have a look at the following links to understand the permission numbers –

http://jamestsai.net/Blog/post/Understand-SharePoint-Permissions-Part-2-Check-SharePoint-usergroup-permissions-with-Permissions-web-service-and-JavaScript.aspx
http://jamestsai.net/Blog/post/Understand-SharePoint-Permissions—Part-1-SPBasePermissions-in-Hex2c-Decimal-and-Binary—The-Basics.aspx

Then, fire a query like this –

http://site/_api/web/roledefinitions

This will return you the list of available role definitons and you can analyze that for all the roles having high value < 32, user cannot access the web. This is how we get the lucky number "32". 

<?xml version="1.0" encoding="utf-8" ?> 
– <feed xml:base="https://yourcompany.com/sites/projects/_api/" xmlns="http://www.w3.org/2005/Atom" xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices" xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata" xmlns:georss="http://www.georss.org/georss" xmlns:gml="http://www.opengis.net/gml">
  <id>ae4644c5-38a4-4a34-836e-5defb670188b</id> 
  <title /> 
  <updated>2013-08-18T17:42:37Z</updated> 
– <entry>
  <id>https://yourcompany.com/sites/projects/_api/Web/RoleDefinitions(1073741829)</id> 
  <category term="SP.RoleDefinition" scheme="http://schemas.microsoft.com/ado/2007/08/dataservices/scheme" /> 
  <link rel="edit" href="Web/RoleDefinitions(1073741829)" /> 
  <title /> 
  <updated>2013-08-18T17:42:37Z</updated> 
– <author>
  <name /> 
  </author>
– <content type="application/xml">
– <m:properties>
– <d:BasePermissions m:type="SP.BasePermissions">
  <d:High m:type="Edm.Int64">2147483647</d:High> 
  <d:Low m:type="Edm.Int64">4294967295</d:Low> 
  </d:BasePermissions>
  <d:Description>Has full control.</d:Description> 
  <d:Hidden m:type="Edm.Boolean">false</d:Hidden> 
  <d:Id m:type="Edm.Int32">1073741829</d:Id> 
  <d:Name>Full Control</d:Name> 
  <d:Order m:type="Edm.Int32">1</d:Order> 
  <d:RoleTypeKind m:type="Edm.Int32">5</d:RoleTypeKind> 
  </m:properties>
  </content>
  </entry>
– <entry>
  <id>https://yourcompany.com/sites/projects/_api/Web/RoleDefinitions(1073741828)</id> 
  <category term="SP.RoleDefinition" scheme="http://schemas.microsoft.com/ado/2007/08/dataservices/scheme" /> 
  <link rel="edit" href="Web/RoleDefinitions(1073741828)" /> 
  <title /> 
  <updated>2013-08-18T17:42:37Z</updated> 
– <author>
  <name /> 
  </author>
– <content type="application/xml">
– <m:properties>
– <d:BasePermissions m:type="SP.BasePermissions">
  <d:High m:type="Edm.Int64">432</d:High> 
  <d:Low m:type="Edm.Int64">1012866047</d:Low> 
  </d:BasePermissions>
  <d:Description>Can view, add, update, delete, approve, and customize.</d:Description> 
  <d:Hidden m:type="Edm.Boolean">false</d:Hidden> 
  <d:Id m:type="Edm.Int32">1073741828</d:Id> 
  <d:Name>Design</d:Name> 
  <d:Order m:type="Edm.Int32">32</d:Order> 
  <d:RoleTypeKind m:type="Edm.Int32">4</d:RoleTypeKind> 
  </m:properties>
  </content>
  </entry>
– <entry>
  <id>https://yourcompany.com/sites/projects/_api/Web/RoleDefinitions(1073741830)</id> 
  <category term="SP.RoleDefinition" scheme="http://schemas.microsoft.com/ado/2007/08/dataservices/scheme" /> 
  <link rel="edit" href="Web/RoleDefinitions(1073741830)" /> 
  <title /> 
  <updated>2013-08-18T17:42:37Z</updated> 
– <author>
  <name /> 
  </author>
– <content type="application/xml">
– <m:properties>
– <d:BasePermissions m:type="SP.BasePermissions">
  <d:High m:type="Edm.Int64">432</d:High> 
  <d:Low m:type="Edm.Int64">1011030767</d:Low> 
  </d:BasePermissions>
  <d:Description>Can add, edit and delete lists; can view, add, update and delete list items and documents.</d:Description> 
  <d:Hidden m:type="Edm.Boolean">false</d:Hidden> 
  <d:Id m:type="Edm.Int32">1073741830</d:Id> 
  <d:Name>Edit</d:Name> 
  <d:Order m:type="Edm.Int32">48</d:Order> 
  <d:RoleTypeKind m:type="Edm.Int32">6</d:RoleTypeKind> 
  </m:properties>
  </content>
  </entry>
– <entry>
  <id>https://yourcompany.com/sites/projects/_api/Web/RoleDefinitions(1073741827)</id> 
  <category term="SP.RoleDefinition" scheme="http://schemas.microsoft.com/ado/2007/08/dataservices/scheme" /> 
  <link rel="edit" href="Web/RoleDefinitions(1073741827)" /> 
  <title /> 
  <updated>2013-08-18T17:42:37Z</updated> 
– <author>
  <name /> 
  </author>
– <content type="application/xml">
– <m:properties>
– <d:BasePermissions m:type="SP.BasePermissions">
  <d:High m:type="Edm.Int64">432</d:High> 
  <d:Low m:type="Edm.Int64">1011028719</d:Low> 
  </d:BasePermissions>
  <d:Description>Can view, add, update, and delete list items and documents.</d:Description> 
  <d:Hidden m:type="Edm.Boolean">false</d:Hidden> 
  <d:Id m:type="Edm.Int32">1073741827</d:Id> 
  <d:Name>Contribute</d:Name> 
  <d:Order m:type="Edm.Int32">64</d:Order> 
  <d:RoleTypeKind m:type="Edm.Int32">3</d:RoleTypeKind> 
  </m:properties>
  </content>
  </entry>
– <entry>
  <id>https://yourcompany.com/sites/projects/_api/Web/RoleDefinitions(1073741826)</id> 
  <category term="SP.RoleDefinition" scheme="http://schemas.microsoft.com/ado/2007/08/dataservices/scheme" /> 
  <link rel="edit" href="Web/RoleDefinitions(1073741826)" /> 
  <title /> 
  <updated>2013-08-18T17:42:37Z</updated> 
– <author>
  <name /> 
  </author>
– <content type="application/xml">
– <m:properties>
– <d:BasePermissions m:type="SP.BasePermissions">
  <d:High m:type="Edm.Int64">176</d:High> 
  <d:Low m:type="Edm.Int64">138612833</d:Low> 
  </d:BasePermissions>
  <d:Description>Can view pages and list items and download documents.</d:Description> 
  <d:Hidden m:type="Edm.Boolean">false</d:Hidden> 
  <d:Id m:type="Edm.Int32">1073741826</d:Id> 
  <d:Name>Read</d:Name> 
  <d:Order m:type="Edm.Int32">128</d:Order> 
  <d:RoleTypeKind m:type="Edm.Int32">2</d:RoleTypeKind> 
  </m:properties>
  </content>
  </entry>
– <entry>
  <id>https://yourcompany.com/sites/projects/_api/Web/RoleDefinitions(1073741825)</id> 
  <category term="SP.RoleDefinition" scheme="http://schemas.microsoft.com/ado/2007/08/dataservices/scheme" /> 
  <link rel="edit" href="Web/RoleDefinitions(1073741825)" /> 
  <title /> 
  <updated>2013-08-18T17:42:37Z</updated> 
– <author>
  <name /> 
  </author>
– <content type="application/xml">
– <m:properties>
– <d:BasePermissions m:type="SP.BasePermissions">
  <d:High m:type="Edm.Int64">16</d:High> 
  <d:Low m:type="Edm.Int64">134283264</d:Low> 
  </d:BasePermissions>
  <d:Description>Can view specific lists, document libraries, list items, folders, or documents when given permissions.</d:Description> 
  <d:Hidden m:type="Edm.Boolean">true</d:Hidden> 
  <d:Id m:type="Edm.Int32">1073741825</d:Id> 
  <d:Name>Limited Access</d:Name> 
  <d:Order m:type="Edm.Int32">160</d:Order> 
  <d:RoleTypeKind m:type="Edm.Int32">1</d:RoleTypeKind> 
  </m:properties>
  </content>
  </entry>
– <entry>
  <id>https://yourcompany.com/sites/projects/_api/Web/RoleDefinitions(1073741924)</id> 
  <category term="SP.RoleDefinition" scheme="http://schemas.microsoft.com/ado/2007/08/dataservices/scheme" /> 
  <link rel="edit" href="Web/RoleDefinitions(1073741924)" /> 
  <title /> 
  <updated>2013-08-18T17:42:37Z</updated> 
– <author>
  <name /> 
  </author>
– <content type="application/xml">
– <m:properties>
– <d:BasePermissions m:type="SP.BasePermissions">
  <d:High m:type="Edm.Int64">176</d:High> 
  <d:Low m:type="Edm.Int64">138612801</d:Low> 
  </d:BasePermissions>
  <d:Description>Can view pages, list items, and documents. Document types with server-side file handlers can be viewed in the browser but not downloaded.</d:Description> 
  <d:Hidden m:type="Edm.Boolean">false</d:Hidden> 
  <d:Id m:type="Edm.Int32">1073741924</d:Id> 
  <d:Name>View Only</d:Name> 
  <d:Order m:type="Edm.Int32">2147483647</d:Order> 
  <d:RoleTypeKind m:type="Edm.Int32">0</d:RoleTypeKind> 
  </m:properties>
  </content>
  </entry>
– <entry>
  <id>https://yourcompany.com/sites/projects/_api/Web/RoleDefinitions(1073741925)</id> 
  <category term="SP.RoleDefinition" scheme="http://schemas.microsoft.com/ado/2007/08/dataservices/scheme" /> 
  <link rel="edit" href="Web/RoleDefinitions(1073741925)" /> 
  <title /> 
  <updated>2013-08-18T17:42:37Z</updated> 
– <author>
  <name /> 
  </author>
– <content type="application/xml">
– <m:properties>
– <d:BasePermissions m:type="SP.BasePermissions">
  <d:High m:type="Edm.Int64">432</d:High> 
  <d:Low m:type="Edm.Int64">1011028991</d:Low> 
  </d:BasePermissions>
  <d:Description>Can edit and approve pages, list items, and documents.</d:Description> 
  <d:Hidden m:type="Edm.Boolean">false</d:Hidden> 
  <d:Id m:type="Edm.Int32">1073741925</d:Id> 
  <d:Name>Approve</d:Name> 
  <d:Order m:type="Edm.Int32">2147483647</d:Order> 
  <d:RoleTypeKind m:type="Edm.Int32">0</d:RoleTypeKind> 
  </m:properties>
  </content>
  </entry>
– <entry>
  <id>https://yourcompany.com/sites/projects/_api/Web/RoleDefinitions(1073741926)</id> 
  <category term="SP.RoleDefinition" scheme="http://schemas.microsoft.com/ado/2007/08/dataservices/scheme" /> 
  <link rel="edit" href="Web/RoleDefinitions(1073741926)" /> 
  <title /> 
  <updated>2013-08-18T17:42:37Z</updated> 
– <author>
  <name /> 
  </author>
– <content type="application/xml">
– <m:properties>
– <d:BasePermissions m:type="SP.BasePermissions">
  <d:High m:type="Edm.Int64">1073742320</d:High> 
  <d:Low m:type="Edm.Int64">2129075183</d:Low> 
  </d:BasePermissions>
  <d:Description>Can create sites and edit pages, list items, and documents.</d:Description> 
  <d:Hidden m:type="Edm.Boolean">false</d:Hidden> 
  <d:Id m:type="Edm.Int32">1073741926</d:Id> 
  <d:Name>Manage Hierarchy</d:Name> 
  <d:Order m:type="Edm.Int32">2147483647</d:Order> 
  <d:RoleTypeKind m:type="Edm.Int32">0</d:RoleTypeKind> 
  </m:properties>
  </content>
  </entry>
– <entry>
  <id>https://yourcompany.com/sites/projects/_api/Web/RoleDefinitions(1073741927)</id> 
  <category term="SP.RoleDefinition" scheme="http://schemas.microsoft.com/ado/2007/08/dataservices/scheme" /> 
  <link rel="edit" href="Web/RoleDefinitions(1073741927)" /> 
  <title /> 
  <updated>2013-08-18T17:42:37Z</updated> 
– <author>
  <name /> 
  </author>
– <content type="application/xml">
– <m:properties>
– <d:BasePermissions m:type="SP.BasePermissions">
  <d:High m:type="Edm.Int64">0</d:High> 
  <d:Low m:type="Edm.Int64">196641</d:Low> 
  </d:BasePermissions>
  <d:Description>Can view pages and documents, but cannot view historical versions or user permissions.</d:Description> 
  <d:Hidden m:type="Edm.Boolean">false</d:Hidden> 
  <d:Id m:type="Edm.Int32">1073741927</d:Id> 
  <d:Name>Restricted Read</d:Name> 
  <d:Order m:type="Edm.Int32">2147483647</d:Order> 
  <d:RoleTypeKind m:type="Edm.Int32">0</d:RoleTypeKind> 
  </m:properties>
  </content>
  </entry>
– <entry>
  <id>https://yourcompany.com/sites/projects/_api/Web/RoleDefinitions(1073741928)</id> 
  <category term="SP.RoleDefinition" scheme="http://schemas.microsoft.com/ado/2007/08/dataservices/scheme" /> 
  <link rel="edit" href="Web/RoleDefinitions(1073741928)" /> 
  <title /> 
  <updated>2013-08-18T17:42:37Z</updated> 
– <author>
  <name /> 
  </author>
– <content type="application/xml">
– <m:properties>
– <d:BasePermissions m:type="SP.BasePermissions">
  <d:High m:type="Edm.Int64">32</d:High> 
  <d:Low m:type="Edm.Int64">65536</d:Low> 
  </d:BasePermissions>
  <d:Description>Can open lists and folders, and use remote interfaces.</d:Description> 
  <d:Hidden m:type="Edm.Boolean">false</d:Hidden> 
  <d:Id m:type="Edm.Int32">1073741928</d:Id> 
  <d:Name>Restricted Interfaces for Translation</d:Name> 
  <d:Order m:type="Edm.Int32">2147483647</d:Order> 
  <d:RoleTypeKind m:type="Edm.Int32">0</d:RoleTypeKind> 
  </m:properties>
  </content>
  </entry>
  </feed>

Hope it helps :-)

Previous Post

Fix for Your My Site profile not displaying the Organization Browser/chart in SharePoint 2013 + Inherit/override/modify SharePoint built in webpart

Next Post

Fix for Visual Studio 2012 crash on publish of SharePoint wsp

No Comments

Leave a Comment

© SharePoint stuffs. All Rights Reserved.