Skip to main content

Posts

How to check User permission using REST

Though SharePoint handles security trimming throughout the site, sometimes when you need to create custom pages and controls, you would need to check the permissions of the logged in user to allow/block certain actions. For example, only if a user has permission  to edit list items, show Edit button. So how do you check if the logged-in user has the required permission or not?

SharePoint provides a REST endpoint "effectiveBasePermissions". Using this endpoint, you can check if the user has required permission or not.

THE URL syntax is: [Domain]/[Site]/_api/web/lists/getByTitle('ListName')/effectiveBasePermissions.

Interestingly, this endpoint returns data as JavaScript Object Model (JSOM) object. So to use this data, you would need to load two libraries sp.runtime.debug.js and sp.debug.js. These libraries are available at 15 hive folder.

Let me show you the complete code (jQuery should be loaded for this code). This code is tested in SharePoint Online and it should …
Post a Comment
Read more
Recent posts

SharePoint Custom Page - Page not found error

I came across an interesting behavior. I had created a custom page with custom logic. I had to pass a parameter and a number so that I can use the value in the code.

So the URL looks something like this:

http://[Domain]/[SiteCollection]/Page/MyCustomPage.aspx?Id=[number]

When I navigate to this page, MyCustomPage was not loading, instead SharePoint was giving "Page not found" error. If I navigate to the same page without passing a parameter, it renders the page without any problem. That means, when I pass a parameter in the URL, SharePoint was treating the entire URL as a page URL. Since it doesn't exist, it was throwing page not found error.

This was one of those weird behaviors which is hard to comprehend. After a bit of Googling, I came across this article by Stefan Goßner. In this article Stefan lists some of the parameters which we should not be using as they are reserved query string parameters. Though the article is specific to MOSS 2007 and SharePoint 2010, the i…
Post a Comment
Read more

Security Trimming and REST

Security trimming is an important feature in SharePoint. The permissions defined in a site is "respected" throughout the site including the APIs. So once you define a permission, wherever you navigate, the permissions are applied and accordingly you will (not) see the data.

What does it also mean that if you are using REST API to fetch data from a SharePoint site, the API returns data with security trimmed. So you don't have to apply any additional filter to the query. The same query might return 10 items for one user, 20 items for another user based on the user's permission on items.

Also, let us say, you are trying to get a list of Apps (Libraries and Lists) from a site using REST and you are displaying that on a page. Also assume that you have not given permission to 5 out of 10 Apps to the user "User A".

How many Apps User A get to see in a page? It's not 5 but all. Remember, this is similar to the case where user navigate to Site Contents page and…
Post a Comment
Read more

How to fetch value from Rich Text editor using jquery

When we use multi-line text in SharePoint List, Rich Text Editor will be rendered on List forms. If you ever need to apply a custom validation on this control, you would need to fetch values programmatically.

So how can we fetch value from a rich text editor.

As a first step, open the List form using SharePoint Designer. Replace the control ID (eg., ff1) with a custom name. Let us say Desc.

Every rich text editor is basically a "contenteditable" DIV. We cannot use ID completely. So we need to use wildcard and also use role attribute which is always "textbox" for rich text editor.

So your jQuery code looks like this:

$("[role=textbox][id*='Desc']").html();

By using role attribute and the field name, you are assured of getting the value of a multi-line text field.
Post a Comment
Read more

REST API error: The query to field is not valid

I stumbled upon this error when I was trying to fetch items from SharePoint List using REST API.

The query to field 'ExpandColumn/ColumnName' is not valid
After a quick research, I found that we get this error if we are trying to fetch multi-line text column through $expand query.

What does it mean? If you have a lookup column, and if you want to fetch columns through a lookup column, you can use $expand query. Though it works for fields such as Single line of text, Date, Numeric etc, this $expand query will not fetch multi-line text columns.

The workaround for this limitation is you would need to make two REST calls - one to fetch the List items, and the other to fetch corresponding multi-line text value from the lookup list directly.
Post a Comment
Read more

REST equivalent of AddToCurrentScopeOnly method

When we have to programmatically apply fine grain permissions to the List items, we have to ensure the ACL (Access Control List) limit is under control as defined in Software Boundaries. Typically, in Server side object model (SSOM), Microsoft provides a method called AddToCurrentScopeOnly. The best practice document also suggest to use this method. To quote what is mentioned in the above article:

Use the AddToCurrentScopeOnly method to assign Limited Access membership in a SharePoint group. The key element in this principle is to redesign the architecture so that scope membership does not cause Access Control List (ACL) recalculation at the parent document library and web. In fact, I have used this method in SSOM and it works fine. So when I had to apply fine grain permission to the List items using REST API, I was looking for an endpoint for AddToCurrentScopeOnly. But I could not find any reference in MSDN. It turned out that this method is not available in client side APIs includi…
Post a Comment
Read more

How to clear multi-value Lookup field using REST API

Last year, I had written a post on updating a multi-value Lookup field using REST API. When you are updating a multi-value lookup column, sometimes you would also need to clear the column.

The way we can clear a multi-value lookup column is different than how we would do for a single value lookup column using REST API.

For a single value lookup column, setting a null clears the value. However, for multi-value lookup column, setting a null or blank space does not work. Why? Remember, when you are updating a multi-value column, you would set an array object with the key "results".

So to clear a multi-value lookup column, we need to assign the key "results" to an empty array as shown below:

{ "ColumnId": { "results": [] } }

So if you are using REST API to update a multi-value column, do ensure to have this use case as well to clear the column.
Post a Comment
Read more