none
Security Trimmed Snippet and Script Editor Web Part RRS feed

  • Question

  • Hi all,

    I need to security trim a list of sub sites retrieved via REST and jQuery. SharePoint's REST API is very inconsistent regarding security trimming, so I wanted to use a Security Trimmed Snippet. For a user with access to all sub sites it displays, but it gives me an "internal error" for a user who does not have access to 1 of the 10 sub sites that are outputted. Please help. This is what I have in the Script Editor Web Part currently. My goal is to have a security trimmed list of Sub sites.

    <div data-name="SecurityTrimmedAuthenticated">
        <!--CS: Start Security Trim Snippet-->
        <!--SPM:<%@Register Tagprefix="SharePoint" Namespace="Microsoft.SharePoint.WebControls" Assembly="Microsoft.SharePoint, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"%>-->
        <!--MS:<SharePoint:SPSecurityTrimmedControl runat="server" AuthenticationRestrictions="AuthenticatedUsersOnly" Permissions="ViewPages">-->
            <!--PS: Start of READ-ONLY PREVIEW (do not modify)--><span><!--PE: End of READ-ONLY PREVIEW-->
            <div class="DefaultContentBlock" style="border:medium black solid; background:yellow; color:black; margin:20px; padding:10px;">
            
    <script type="text/javascript" src="https://ajax.aspnetcdn.com/ajax/jquery/jquery-1.9.0.min.js"></script>
    <script type="text/javascript">
        $(document).ready(function ($) {
            var basePath = "https://yourcompany.com/sites/projects/_api/";
            $.ajax({
                url: basePath + "web/webs/?$select=*",
                type: "GET",
                headers: { "Accept": "application/json;odata=verbose" },
                success: function (data) {
                    //script to build UI HERE
                    $.each(data.d.results,function(index,value){
                    $("#SiteList").append("<p>" + "<a href='" + value.Url + "'>" + value.Title + "</a></p>");                  
                });
                },
                error: function (data) {
                    //output error HERE
                    alert(data.statusText);          
                }
            });
        });
    </script>
    
    <div id="SiteList"><h2>Projects List</h2></div>
    
            </div>
            <!--PS: Start of READ-ONLY PREVIEW (do not modify)--></span><!--PE: End of READ-ONLY PREVIEW-->
        <!--ME:</SharePoint:SPSecurityTrimmedControl>-->
        <!--CE: End Security Trim Snippet-->
    </div>


    Personal Blog: http://thebitsthatbyte.com

    Sunday, August 18, 2013 3:52 AM

Answers

  • Hi Kelly,

    Please let me know whether the following REST query provides you the trimmed list of webs :

    http://site/_api/web/webs/?$select=title,effectivebasepermissions&$filter=effectivebasepermissions/high%20gt%2032

    If the above REST query doesn't trim the results, please provide me the following data - 

    a) The output of the following queries and

    b) The list of webs on which current user doesn't have access

    http://site/_api/web/webs/?$select=title,effectivebasepermissions
    
    http://site/_api/web/roledefinitions

    Then, I may be able to help.

    Narahari

    ******If a post answers your question, please click "Mark As Answer" on that post and "Vote as Helpful*******


    • Marked as answer by Kelly Rusk Sunday, August 18, 2013 5:49 PM
    Sunday, August 18, 2013 7:17 AM

All replies

  • Hi Kelly,

    Please let me know whether the following REST query provides you the trimmed list of webs :

    http://site/_api/web/webs/?$select=title,effectivebasepermissions&$filter=effectivebasepermissions/high%20gt%2032

    If the above REST query doesn't trim the results, please provide me the following data - 

    a) The output of the following queries and

    b) The list of webs on which current user doesn't have access

    http://site/_api/web/webs/?$select=title,effectivebasepermissions
    
    http://site/_api/web/roledefinitions

    Then, I may be able to help.

    Narahari

    ******If a post answers your question, please click "Mark As Answer" on that post and "Vote as Helpful*******


    • Marked as answer by Kelly Rusk Sunday, August 18, 2013 5:49 PM
    Sunday, August 18, 2013 7:17 AM
  • Hi Narahari,

    The first call worked to trim the results! A question for you, I have looked in the SharePoint 2013 documentation but can't find the high/low setting and what the values represent. Why do you use the number 32 in GT 32?

    When I look at this call http://site/_api/web/webs/?$select=title,effectivebasepermissions

    I get the following output:

    <d:High m:type="Edm.Int64">2147483647</d:High>

    <d:Low m:type="Edm.Int64">4294967295</d:Low>

    Both the High an Low values seem greater than 32.

    Are there other numbers to determine the level of permission or is it possible to use the PermissionKind in the REST call?

    http://msdn.microsoft.com/en-us/library/ee556747(v=office.14).aspx

    Here is the SharePoint 2013 reference to effectiveBasePermissions as part fo the JavaScript Object Library:

    http://msdn.microsoft.com/en-us/library/jj245395.aspx

    It references the SP.BasePermissions.

    Thanks for all your help. If I can understand the high/low or see the documentation around that, or do a call by PermissionKind, I believe we will be in good shape!

    Thanks!

    Kelly


    Personal Blog: http://thebitsthatbyte.com

    Sunday, August 18, 2013 5:41 PM
  • When I pull the role definitions, I get the following. Is this where you are getting the high values?

      <?xml version="1.0" encoding="utf-8" ?> 
    - <feed xml:base="https://yourcompany.com/sites/projects/_api/" xmlns="http://www.w3.org/2005/Atom" xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices" xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata" xmlns:georss="http://www.georss.org/georss" xmlns:gml="http://www.opengis.net/gml">
      <id>ae4644c5-38a4-4a34-836e-5defb670188b</id> 
      <title /> 
      <updated>2013-08-18T17:42:37Z</updated> 
    - <entry>
      <id>https://yourcompany.com/sites/projects/_api/Web/RoleDefinitions(1073741829)</id> 
      <category term="SP.RoleDefinition" scheme="http://schemas.microsoft.com/ado/2007/08/dataservices/scheme" /> 
      <link rel="edit" href="Web/RoleDefinitions(1073741829)" /> 
      <title /> 
      <updated>2013-08-18T17:42:37Z</updated> 
    - <author>
      <name /> 
      </author>
    - <content type="application/xml">
    - <m:properties>
    - <d:BasePermissions m:type="SP.BasePermissions">
      <d:High m:type="Edm.Int64">2147483647</d:High> 
      <d:Low m:type="Edm.Int64">4294967295</d:Low> 
      </d:BasePermissions>
      <d:Description>Has full control.</d:Description> 
      <d:Hidden m:type="Edm.Boolean">false</d:Hidden> 
      <d:Id m:type="Edm.Int32">1073741829</d:Id> 
      <d:Name>Full Control</d:Name> 
      <d:Order m:type="Edm.Int32">1</d:Order> 
      <d:RoleTypeKind m:type="Edm.Int32">5</d:RoleTypeKind> 
      </m:properties>
      </content>
      </entry>
    - <entry>
      <id>https://yourcompany.com/sites/projects/_api/Web/RoleDefinitions(1073741828)</id> 
      <category term="SP.RoleDefinition" scheme="http://schemas.microsoft.com/ado/2007/08/dataservices/scheme" /> 
      <link rel="edit" href="Web/RoleDefinitions(1073741828)" /> 
      <title /> 
      <updated>2013-08-18T17:42:37Z</updated> 
    - <author>
      <name /> 
      </author>
    - <content type="application/xml">
    - <m:properties>
    - <d:BasePermissions m:type="SP.BasePermissions">
      <d:High m:type="Edm.Int64">432</d:High> 
      <d:Low m:type="Edm.Int64">1012866047</d:Low> 
      </d:BasePermissions>
      <d:Description>Can view, add, update, delete, approve, and customize.</d:Description> 
      <d:Hidden m:type="Edm.Boolean">false</d:Hidden> 
      <d:Id m:type="Edm.Int32">1073741828</d:Id> 
      <d:Name>Design</d:Name> 
      <d:Order m:type="Edm.Int32">32</d:Order> 
      <d:RoleTypeKind m:type="Edm.Int32">4</d:RoleTypeKind> 
      </m:properties>
      </content>
      </entry>
    - <entry>
      <id>https://yourcompany.com/sites/projects/_api/Web/RoleDefinitions(1073741830)</id> 
      <category term="SP.RoleDefinition" scheme="http://schemas.microsoft.com/ado/2007/08/dataservices/scheme" /> 
      <link rel="edit" href="Web/RoleDefinitions(1073741830)" /> 
      <title /> 
      <updated>2013-08-18T17:42:37Z</updated> 
    - <author>
      <name /> 
      </author>
    - <content type="application/xml">
    - <m:properties>
    - <d:BasePermissions m:type="SP.BasePermissions">
      <d:High m:type="Edm.Int64">432</d:High> 
      <d:Low m:type="Edm.Int64">1011030767</d:Low> 
      </d:BasePermissions>
      <d:Description>Can add, edit and delete lists; can view, add, update and delete list items and documents.</d:Description> 
      <d:Hidden m:type="Edm.Boolean">false</d:Hidden> 
      <d:Id m:type="Edm.Int32">1073741830</d:Id> 
      <d:Name>Edit</d:Name> 
      <d:Order m:type="Edm.Int32">48</d:Order> 
      <d:RoleTypeKind m:type="Edm.Int32">6</d:RoleTypeKind> 
      </m:properties>
      </content>
      </entry>
    - <entry>
      <id>https://yourcompany.com/sites/projects/_api/Web/RoleDefinitions(1073741827)</id> 
      <category term="SP.RoleDefinition" scheme="http://schemas.microsoft.com/ado/2007/08/dataservices/scheme" /> 
      <link rel="edit" href="Web/RoleDefinitions(1073741827)" /> 
      <title /> 
      <updated>2013-08-18T17:42:37Z</updated> 
    - <author>
      <name /> 
      </author>
    - <content type="application/xml">
    - <m:properties>
    - <d:BasePermissions m:type="SP.BasePermissions">
      <d:High m:type="Edm.Int64">432</d:High> 
      <d:Low m:type="Edm.Int64">1011028719</d:Low> 
      </d:BasePermissions>
      <d:Description>Can view, add, update, and delete list items and documents.</d:Description> 
      <d:Hidden m:type="Edm.Boolean">false</d:Hidden> 
      <d:Id m:type="Edm.Int32">1073741827</d:Id> 
      <d:Name>Contribute</d:Name> 
      <d:Order m:type="Edm.Int32">64</d:Order> 
      <d:RoleTypeKind m:type="Edm.Int32">3</d:RoleTypeKind> 
      </m:properties>
      </content>
      </entry>
    - <entry>
      <id>https://yourcompany.com/sites/projects/_api/Web/RoleDefinitions(1073741826)</id> 
      <category term="SP.RoleDefinition" scheme="http://schemas.microsoft.com/ado/2007/08/dataservices/scheme" /> 
      <link rel="edit" href="Web/RoleDefinitions(1073741826)" /> 
      <title /> 
      <updated>2013-08-18T17:42:37Z</updated> 
    - <author>
      <name /> 
      </author>
    - <content type="application/xml">
    - <m:properties>
    - <d:BasePermissions m:type="SP.BasePermissions">
      <d:High m:type="Edm.Int64">176</d:High> 
      <d:Low m:type="Edm.Int64">138612833</d:Low> 
      </d:BasePermissions>
      <d:Description>Can view pages and list items and download documents.</d:Description> 
      <d:Hidden m:type="Edm.Boolean">false</d:Hidden> 
      <d:Id m:type="Edm.Int32">1073741826</d:Id> 
      <d:Name>Read</d:Name> 
      <d:Order m:type="Edm.Int32">128</d:Order> 
      <d:RoleTypeKind m:type="Edm.Int32">2</d:RoleTypeKind> 
      </m:properties>
      </content>
      </entry>
    - <entry>
      <id>https://yourcompany.com/sites/projects/_api/Web/RoleDefinitions(1073741825)</id> 
      <category term="SP.RoleDefinition" scheme="http://schemas.microsoft.com/ado/2007/08/dataservices/scheme" /> 
      <link rel="edit" href="Web/RoleDefinitions(1073741825)" /> 
      <title /> 
      <updated>2013-08-18T17:42:37Z</updated> 
    - <author>
      <name /> 
      </author>
    - <content type="application/xml">
    - <m:properties>
    - <d:BasePermissions m:type="SP.BasePermissions">
      <d:High m:type="Edm.Int64">16</d:High> 
      <d:Low m:type="Edm.Int64">134283264</d:Low> 
      </d:BasePermissions>
      <d:Description>Can view specific lists, document libraries, list items, folders, or documents when given permissions.</d:Description> 
      <d:Hidden m:type="Edm.Boolean">true</d:Hidden> 
      <d:Id m:type="Edm.Int32">1073741825</d:Id> 
      <d:Name>Limited Access</d:Name> 
      <d:Order m:type="Edm.Int32">160</d:Order> 
      <d:RoleTypeKind m:type="Edm.Int32">1</d:RoleTypeKind> 
      </m:properties>
      </content>
      </entry>
    - <entry>
      <id>https://yourcompany.com/sites/projects/_api/Web/RoleDefinitions(1073741924)</id> 
      <category term="SP.RoleDefinition" scheme="http://schemas.microsoft.com/ado/2007/08/dataservices/scheme" /> 
      <link rel="edit" href="Web/RoleDefinitions(1073741924)" /> 
      <title /> 
      <updated>2013-08-18T17:42:37Z</updated> 
    - <author>
      <name /> 
      </author>
    - <content type="application/xml">
    - <m:properties>
    - <d:BasePermissions m:type="SP.BasePermissions">
      <d:High m:type="Edm.Int64">176</d:High> 
      <d:Low m:type="Edm.Int64">138612801</d:Low> 
      </d:BasePermissions>
      <d:Description>Can view pages, list items, and documents. Document types with server-side file handlers can be viewed in the browser but not downloaded.</d:Description> 
      <d:Hidden m:type="Edm.Boolean">false</d:Hidden> 
      <d:Id m:type="Edm.Int32">1073741924</d:Id> 
      <d:Name>View Only</d:Name> 
      <d:Order m:type="Edm.Int32">2147483647</d:Order> 
      <d:RoleTypeKind m:type="Edm.Int32">0</d:RoleTypeKind> 
      </m:properties>
      </content>
      </entry>
    - <entry>
      <id>https://yourcompany.com/sites/projects/_api/Web/RoleDefinitions(1073741925)</id> 
      <category term="SP.RoleDefinition" scheme="http://schemas.microsoft.com/ado/2007/08/dataservices/scheme" /> 
      <link rel="edit" href="Web/RoleDefinitions(1073741925)" /> 
      <title /> 
      <updated>2013-08-18T17:42:37Z</updated> 
    - <author>
      <name /> 
      </author>
    - <content type="application/xml">
    - <m:properties>
    - <d:BasePermissions m:type="SP.BasePermissions">
      <d:High m:type="Edm.Int64">432</d:High> 
      <d:Low m:type="Edm.Int64">1011028991</d:Low> 
      </d:BasePermissions>
      <d:Description>Can edit and approve pages, list items, and documents.</d:Description> 
      <d:Hidden m:type="Edm.Boolean">false</d:Hidden> 
      <d:Id m:type="Edm.Int32">1073741925</d:Id> 
      <d:Name>Approve</d:Name> 
      <d:Order m:type="Edm.Int32">2147483647</d:Order> 
      <d:RoleTypeKind m:type="Edm.Int32">0</d:RoleTypeKind> 
      </m:properties>
      </content>
      </entry>
    - <entry>
      <id>https://yourcompany.com/sites/projects/_api/Web/RoleDefinitions(1073741926)</id> 
      <category term="SP.RoleDefinition" scheme="http://schemas.microsoft.com/ado/2007/08/dataservices/scheme" /> 
      <link rel="edit" href="Web/RoleDefinitions(1073741926)" /> 
      <title /> 
      <updated>2013-08-18T17:42:37Z</updated> 
    - <author>
      <name /> 
      </author>
    - <content type="application/xml">
    - <m:properties>
    - <d:BasePermissions m:type="SP.BasePermissions">
      <d:High m:type="Edm.Int64">1073742320</d:High> 
      <d:Low m:type="Edm.Int64">2129075183</d:Low> 
      </d:BasePermissions>
      <d:Description>Can create sites and edit pages, list items, and documents.</d:Description> 
      <d:Hidden m:type="Edm.Boolean">false</d:Hidden> 
      <d:Id m:type="Edm.Int32">1073741926</d:Id> 
      <d:Name>Manage Hierarchy</d:Name> 
      <d:Order m:type="Edm.Int32">2147483647</d:Order> 
      <d:RoleTypeKind m:type="Edm.Int32">0</d:RoleTypeKind> 
      </m:properties>
      </content>
      </entry>
    - <entry>
      <id>https://yourcompany.com/sites/projects/_api/Web/RoleDefinitions(1073741927)</id> 
      <category term="SP.RoleDefinition" scheme="http://schemas.microsoft.com/ado/2007/08/dataservices/scheme" /> 
      <link rel="edit" href="Web/RoleDefinitions(1073741927)" /> 
      <title /> 
      <updated>2013-08-18T17:42:37Z</updated> 
    - <author>
      <name /> 
      </author>
    - <content type="application/xml">
    - <m:properties>
    - <d:BasePermissions m:type="SP.BasePermissions">
      <d:High m:type="Edm.Int64">0</d:High> 
      <d:Low m:type="Edm.Int64">196641</d:Low> 
      </d:BasePermissions>
      <d:Description>Can view pages and documents, but cannot view historical versions or user permissions.</d:Description> 
      <d:Hidden m:type="Edm.Boolean">false</d:Hidden> 
      <d:Id m:type="Edm.Int32">1073741927</d:Id> 
      <d:Name>Restricted Read</d:Name> 
      <d:Order m:type="Edm.Int32">2147483647</d:Order> 
      <d:RoleTypeKind m:type="Edm.Int32">0</d:RoleTypeKind> 
      </m:properties>
      </content>
      </entry>
    - <entry>
      <id>https://yourcompany.com/sites/projects/_api/Web/RoleDefinitions(1073741928)</id> 
      <category term="SP.RoleDefinition" scheme="http://schemas.microsoft.com/ado/2007/08/dataservices/scheme" /> 
      <link rel="edit" href="Web/RoleDefinitions(1073741928)" /> 
      <title /> 
      <updated>2013-08-18T17:42:37Z</updated> 
    - <author>
      <name /> 
      </author>
    - <content type="application/xml">
    - <m:properties>
    - <d:BasePermissions m:type="SP.BasePermissions">
      <d:High m:type="Edm.Int64">32</d:High> 
      <d:Low m:type="Edm.Int64">65536</d:Low> 
      </d:BasePermissions>
      <d:Description>Can open lists and folders, and use remote interfaces.</d:Description> 
      <d:Hidden m:type="Edm.Boolean">false</d:Hidden> 
      <d:Id m:type="Edm.Int32">1073741928</d:Id> 
      <d:Name>Restricted Interfaces for Translation</d:Name> 
      <d:Order m:type="Edm.Int32">2147483647</d:Order> 
      <d:RoleTypeKind m:type="Edm.Int32">0</d:RoleTypeKind> 
      </m:properties>
      </content>
      </entry>
      </feed>
    
    


    Personal Blog: http://thebitsthatbyte.com

    Sunday, August 18, 2013 5:48 PM
  • Hi Kelly,

    Great to hear that the first REST query worked !!!. Unfortunately, there is no good documentation on EffectiveBasePermissions (except its definiton :-) ) .I have done a good research on "PermissionKind" attribute earlier and am able to use it easily with CSOM but couldn't get it working with REST at all. After careful analysis, the only way I could achieve trimming is using "basePermission" values. The following links will help you understand the permission numbers further.

    http://jamestsai.net/Blog/post/Understand-SharePoint-Permissions-Part-2-Check-SharePoint-usergroup-permissions-with-Permissions-web-service-and-JavaScript.aspx

    http://jamestsai.net/Blog/post/Understand-SharePoint-Permissions---Part-1-SPBasePermissions-in-Hex2c-Decimal-and-Binary---The-Basics.aspx

    Also, if you carefully analyze the role definitons, for all the roles having high value < 32, user cannot access the web.

    I have been very busy with my projects these days. But I am planning to write a blog post on this explaining the scenarios very soon.

    Narahari

    ******If a post answers your question, please click "Mark As Answer" on that post and "Vote as Helpful*******


    Sunday, August 18, 2013 8:35 PM
  • Thank you! Your help has been invaluable.


    Personal Blog: http://thebitsthatbyte.com

    Sunday, August 18, 2013 8:58 PM
  • IMPORTANT: All users must have the Browse Directories permission in order to read the REST call.

    By default, only the Members group at the Site Collection does because the Contribute Permission Level has Browse Directories. This was confusing at first, because I only wanted my visitors to see the sites but not have edit capabilities.

    You can either create a new Permission Level and add it to a new group or existing group (such as Visitors), or open the Read Permission Level tied to the Visitors group and select Browse Directories. I don't like to mess with the default groups, so you may want to create your own group.


    Personal Blog: http://thebitsthatbyte.com

    Monday, August 19, 2013 1:56 AM