none
Security Trimmed REST Call RRS feed

Answers

  • I just tried this and it still gave the same errors.  I don't believe this scenario is possible with REST at the moment.

    This scenario can be fulfilled using CSOM and the SP.Web.getSubwebsForCurrentUser method: http://msdn.microsoft.com/en-us/library/jj246242.aspx

    The example on that MSDN page is a great starting point for your needs.


    Brandon Atkinson
    Blog: http://brandonatkinson.blogspot.com

    • Marked as answer by Kelly Rusk Friday, August 2, 2013 2:52 PM
    Friday, August 2, 2013 1:53 PM
  • Hi Kelly, Corey

    Please find below the updated REST query which returns the trimmed list of sub webs.

    http://site/_api/web/webs/?$select=title,effectivebasepermissions&$filter=effectivebasepermissions/high%20gt%2032

    Narahari

    ******If a post answers your question, please click "Mark As Answer" on that post and "Vote as Helpful*******


    • Marked as answer by Kelly Rusk Sunday, August 18, 2013 9:00 PM
    Sunday, August 18, 2013 8:56 PM

All replies

  • When you query using REST, the results are going to be security trimmed automatically.  So if the user doesn't have access to a list or a particular list item, then those results won't come back with REST either.

    Corey Roth - SharePoint Server MVP blog: www.dotnetmafia.com twitter: @coreyroth | SP2 Apps

    Thursday, August 1, 2013 1:43 PM
    Answerer
  • Thanks Corey,

    The issue I am experiencing is that if the user does not have access to even 1 site in the list of subsites, the overall REST call fails. It is like it does not iterate through the items.

    Kelly


    Personal Blog: http://thebitsthatbyte.com

    Thursday, August 1, 2013 5:34 PM
  • I've also found the same problem. I'm not sure maybe it's a bug.

    Thanks,
    Sohel Rana
    http://ranaictiu-technicalblog.blogspot.com>

    Friday, August 2, 2013 6:26 AM
  • Hi Kelly, Sohel

    You are right. The results are not security trimmed.

    To retrieve the results for which a user has access, you need to use the effectivebasepermissions filter.

    To get only the sub sites which the user has access, use the following statement -

     http://site/_api/web/webs/?$select=title&$filter=effectivebasepermissions/high%20gt%200

    The above statement loops through all the webs and fetches only those web titles whose high component of effectivebasepermissions is greater than 0 ( means the current user have access).

    The above query can be even more refined to take into account the low component of effectivebasepermissions. But it still works :-). Took me some time to research as there is not enough documentation on this.

    Narahari

    ******If a post answers your question, please click "Mark As Answer" on that post and "Vote as Helpful*******

    • Marked as answer by Kelly Rusk Friday, August 2, 2013 1:27 PM
    • Unmarked as answer by Kelly Rusk Friday, August 2, 2013 1:39 PM
    Friday, August 2, 2013 7:15 AM
  • Hi Narahari,

    I tested it with a user who does not have permissions, but it still pulled all the sites without trimming.

    Kelly


    Personal Blog: http://thebitsthatbyte.com

    Friday, August 2, 2013 1:40 PM
  • I just tried this and it still gave the same errors.  I don't believe this scenario is possible with REST at the moment.

    This scenario can be fulfilled using CSOM and the SP.Web.getSubwebsForCurrentUser method: http://msdn.microsoft.com/en-us/library/jj246242.aspx

    The example on that MSDN page is a great starting point for your needs.


    Brandon Atkinson
    Blog: http://brandonatkinson.blogspot.com

    • Marked as answer by Kelly Rusk Friday, August 2, 2013 2:52 PM
    Friday, August 2, 2013 1:53 PM
  • Hi Kelly, Corey

    Please find below the updated REST query which returns the trimmed list of sub webs.

    http://site/_api/web/webs/?$select=title,effectivebasepermissions&$filter=effectivebasepermissions/high%20gt%2032

    Narahari

    ******If a post answers your question, please click "Mark As Answer" on that post and "Vote as Helpful*******


    • Marked as answer by Kelly Rusk Sunday, August 18, 2013 9:00 PM
    Sunday, August 18, 2013 8:56 PM