Impersonating a user when making rest api call

Question

Is there any way to impersonate a user in Sharepoint rest api when making a rest api call?

For example, An admin user wants to know what all sites a particular user can access by making a rest api call.

---

BrajMohan

Answer 1

Hi,

We can use C# code to make a REST API call using particular user name and password.

Here is a demo for your reference.

        /// <summary>
        /// call REST API to get JSON data of a list
        /// </summary>
        /// <param name="webUri"></param>
        /// <param name="credentials"></param>
        /// <param name="listTitle"></param>
        /// <returns></returns>
        public static JToken GetList(Uri webUri, ICredentials credentials, string listTitle)
        {
            using (WebClient client = new WebClient())
            {
                client.Headers.Add("X-FORMS_BASED_AUTH_ACCEPTED", "f");
                client.Credentials = credentials;
                client.Headers.Add(HttpRequestHeader.ContentType, "application/json;odata=verbose");
                client.Headers.Add(HttpRequestHeader.Accept, "application/json;odata=verbose");
                Uri endpointUri = new Uri(webUri + "/_api/web/lists/getbytitle('" + listTitle + "')");
                string result = client.DownloadString(endpointUri);

                JObject jo = (JObject)JsonConvert.DeserializeObject(result);
                JToken jToken = jo["d"];
                return jToken;
            }
        }

We can create a credential via user name and password as below.

            //For SharePoint Online
            //set the user name and password
            string password = "xxxxxx";
            string userName = "xxxx.onmicrosoft.com";
            SecureString secureString = new SecureString();
            foreach (char c in password.ToCharArray())
            {
                secureString.AppendChar(c);
            }
            ICredentials credential= new SharePointOnlineCredentials(userName, secureString);




            //For SharePoint 2013 (on-premise)
            string password = "xxxxxx";
            string userName = "xxxx";
            string domain="xxxxx";
            ICredentials credential= new NetworkCredential(userName, password, domain);

Best regards,

Lee Liu

---

Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

Answer 2

Hi,

I am checking to see how things are going there on this issue.

If the issue was resolved, you can mark the helpful post as answer to help other community members find the helpful information quickly.

Best regards,

Lee Liu

---

Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

Answer 3

thanks for the reply. Actually we are working with SharePoint online and using OAuth for accessing the ReST APIs. If there is any way, we can leverage something like "on Behalf of" any user feature and perform the API operations, please let us know.

---

BrajMohan

Answer 4

Hi,

I think you need to get Access Token of SharePoint online.

Here is a workaround step by step for your reference.

http://paulryan.com.au/2014/spo-remote-authentication-rest/

Best regards,

Lee Liu

---

Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

Answer 5

thanks Lee. Please accept my apology that I forget to mention that we dont have access to other users creds. This functionality that we are trying to build will let admin user see what all files are folders users are having so we have only admin creds available and with that we would like to see if there is any way we can use those to see what files and folders other users have.

---

BrajMohan

Answer 6

Hi,

Do you mean that you want to get the effective permissions of a user?

We can do as below code:

using System;
using Microsoft.SharePoint;

namespace Test
{
    class Program
    {
        static void Main(string[] args)
        {
            using (SPSite site = new SPSite("http://localhost"))
            {
                using (SPWeb web = site.OpenWeb())
                {
                    // Get a list to check permissions on.
                    string listUrl = web.RootFolder.ServerRelativeUrl + "shared documents";
                    SPList list = web.GetList(listUrl);

                    // Be sure the current user has permission to check permissions.
                    if (web.DoesUserHavePermissions(SPBasePermissions.EnumeratePermissions))
                    {
                        foreach (SPGroup group in web.Groups)
                        {
                            foreach (SPUser user in group.Users)
                            {
                                // Get the rights mask for a user.
                                SPBasePermissions permMask = list.GetUserEffectivePermissions(user.LoginName);

                                // Check if the user has a specific right.
                                bool hasPermission = (permMask & SPBasePermissions.ApproveItems) != 0;
                                Console.WriteLine("{0} {1} permission to approve items.", 
                                                  user.LoginName, hasPermission ? "has" : "does not have");
                            }
                        }
                    }
                }
            }
            Console.Write("\nPress ENTER to continue...");
            Console.ReadLine();
        }
    }
}

Best regards,

Lee Liu

---

Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

Answer 7

thanks. I want to get the list of files and folder which a particular user has access.

---

BrajMohan

Answer 8

we can't quite impersonate over REST API since the code runs client-side and any user could capture the request and use it in wrong way to impersonate the user for other operations.

From C# perspective, below link may be helpful ,

https://blogs.msdn.microsoft.com/exchangedev/2015/01/21/building-daemon-or-service-apps-with-office-365-mail-calendar-and-contacts-apis-oauth2-client-credential-flow/

---

avinash devkate

Answer 9

Actually we are working on similar way for Box.com. This is what we are using there https://developer.box.com/v2.0/reference#as-user-1

---

BrajMohan