locked
Security Trimming Problem with client side call to client.svc. RRS feed

  • Question

  • I did call to client.svc to get all sub sites for my current site:

                var clientContext = new SP.ClientContext(), web = clientContext.get_web();
                var subWebs = web.get_webs(); clientContext.load(subWebs);
                clientContext.executeQueryAsync(function (sender, args) {

    One of the web has permissions which pops up "Access denied" for the user which runs my app. And whole request gives me access denied error. But in reality there are few sub sites but only one have such forbidden permission for this user.

    I thought that SharePoint does security trimming so it must just trim out the forbidden site and give me back collection of others. Why service doesn't do this?

    Thursday, May 30, 2013 4:33 PM

Answers

  • Yes you can do this with search on SharePoint online. You can either use CSOM or REST. I prefer REST. Below is some REST example code that uses a query to search for a site and all the sub sites. It uses the SiteID property, so you will have to get the ID of the root site collection first. The code makes sure to return the parentLink property so you can associate sub sites with the parent sites. This should security trim sites and sub sites, but you will have to test.

    try {
            $.ajax(
                       {
                           url: "https://youronlinesite//_api/search/query?querytext='(contentclass:STS_Site OR contentclass:STS_Web) AND siteID:{eccdbe85-3c52-4dc3-8fa9-d5bcd1063d4d}'&selectproperties='Path,Title,ParentLink,contentclass,SiteID'&rowlimit=500&trimduplicates=false&enablequeryrules=false",
                           method: "GET",
                           headers: {
                               "accept": "application/json; odata=verbose",
                           },
                           success: function (data) {
                               if (data.d.query.PrimaryQueryResult.RelevantResults.RowCount > 0) {
                                  
                               }
                               
                           },
                           error: function (err) {                          
                               alert(JSON.stringify(err));
                           },
                       }
                   );
        }
        catch (err) {
            
        }


    Blog | SharePoint Field Notes Dev Tool | ClassMaster

    • Marked as answer by shsv1 Friday, May 31, 2013 8:23 PM
    Friday, May 31, 2013 3:14 AM
  • Searching, caml queries, and navigation providers have all supported security trimming, however, accessing the webs collection of a SPWeb will throw access denied errors since a OpenWeb method call is called when ever the collection is accessed. The collection is accessed during the remote call to return properties of the SPWeb. Unfortunately, there is no way to avoid this on the client side.


    Blog | SharePoint Field Notes Dev Tool | ClassMaster

    • Marked as answer by shsv1 Friday, May 31, 2013 8:23 PM
    Thursday, May 30, 2013 7:08 PM

All replies

  • Searching, caml queries, and navigation providers have all supported security trimming, however, accessing the webs collection of a SPWeb will throw access denied errors since a OpenWeb method call is called when ever the collection is accessed. The collection is accessed during the remote call to return properties of the SPWeb. Unfortunately, there is no way to avoid this on the client side.


    Blog | SharePoint Field Notes Dev Tool | ClassMaster

    • Marked as answer by shsv1 Friday, May 31, 2013 8:23 PM
    Thursday, May 30, 2013 7:08 PM
  • Thank for the quick answer.

    Would you like to show me a way how to get all sub sites of current site through searching for SharePoint 2013 Online for client side? Since the searching has security trimming so by using a searching it must be no 'access denied'?


    • Edited by shsv1 Thursday, May 30, 2013 7:58 PM
    Thursday, May 30, 2013 7:57 PM
  • Yes you can do this with search on SharePoint online. You can either use CSOM or REST. I prefer REST. Below is some REST example code that uses a query to search for a site and all the sub sites. It uses the SiteID property, so you will have to get the ID of the root site collection first. The code makes sure to return the parentLink property so you can associate sub sites with the parent sites. This should security trim sites and sub sites, but you will have to test.

    try {
            $.ajax(
                       {
                           url: "https://youronlinesite//_api/search/query?querytext='(contentclass:STS_Site OR contentclass:STS_Web) AND siteID:{eccdbe85-3c52-4dc3-8fa9-d5bcd1063d4d}'&selectproperties='Path,Title,ParentLink,contentclass,SiteID'&rowlimit=500&trimduplicates=false&enablequeryrules=false",
                           method: "GET",
                           headers: {
                               "accept": "application/json; odata=verbose",
                           },
                           success: function (data) {
                               if (data.d.query.PrimaryQueryResult.RelevantResults.RowCount > 0) {
                                  
                               }
                               
                           },
                           error: function (err) {                          
                               alert(JSON.stringify(err));
                           },
                       }
                   );
        }
        catch (err) {
            
        }


    Blog | SharePoint Field Notes Dev Tool | ClassMaster

    • Marked as answer by shsv1 Friday, May 31, 2013 8:23 PM
    Friday, May 31, 2013 3:14 AM
  • I found the different way. I use SP.Web.getSubwebsForCurrentUser() method now.

    And other thing if to request not all properties of sub sites but few like Id, Title, and so on. There is no exception even if no permission to view site.

    var clientContext = new SP.ClientContext(), web = clientContext.get_web();
    // Properties: Id, Title, ServerRelativeUrl of SPWeb don't throw exception if no view permissions to SPWeb.
    var subWebs = web.get_webs(); clientContext.load(subWebs, "Include(Id)","Include(Title)","Include(ServerRelativeUrl)");
    clientContext.executeQueryAsync(function (sender, args) {
    

    Friday, May 31, 2013 8:33 PM