Skip to main content

Security Trimming and REST

Security trimming is an important feature in SharePoint. The permissions defined in a site is "respected" throughout the site including the APIs. So once you define a permission, wherever you navigate, the permissions are applied and accordingly you will (not) see the data.

What does it also mean that if you are using REST API to fetch data from a SharePoint site, the API returns data with security trimmed. So you don't have to apply any additional filter to the query. The same query might return 10 items for one user, 20 items for another user based on the user's permission on items.

Also, let us say, you are trying to get a list of Apps (Libraries and Lists) from a site using REST and you are displaying that on a page. Also assume that you have not given permission to 5 out of 10 Apps to the user "User A".

How many Apps User A get to see in a page? It's not 5 but all. Remember, this is similar to the case where user navigate to Site Contents page and user can see the complete list of Apps regardless of having permission to an App or not. Only when user clicks on an App where user does not have access, it shows Access Denied message.

So even in this case REST works as expected. Hope this will clear any doubts around security trimming in REST API.

Comments

Popular posts from this blog

How to get SharePoint List or Library GUID via REST

Sometimes, you would need List or Library GUID to use that in some operation. In such cases, how do you get hold of GUID using REST API? There is a straight-forward end point which you can use: /_api/web/lists/getByTitle('ListTitle')/Id This will return the GUID of a List or Library. There is also another approach. However this approach works only if a List or Library contains at least one item. /_api/web/lists/getByTitle('ListTitle')/items This is a familiar end point which we use to fetch items of a List or Library. To get the GUID from the response, you would do: var listIDTemp = response.data.d.results[0].__metadata.id; var listID = listIDTemp.substring(listIDTemp.lastIndexOf("guid") + 5).split('\'')[0]; As you can see, we are doing string operations to fetch GUID from metadata.id. This contains information only if the response has at least one item.

Get User Id using REST or JavaScript Object Model

Sometimes you would need to fetch the User Id based on either Login name or Email id. You would need User Id if you need to assign a user object to a people picker control or People/Group field. How do we get the Id based on Email or Login Name in client side development? We can achieve that using JavaScript Object Model or REST API. Let me share the first example using JavaScript Object Model (JSOM). var context = new SP.ClientContext.get_current(); this.user = context.get_web().ensureUser(loginName or Email); var o = { d: d, user: this.user }; context.load(this.user); context.executeQueryAsync(     Function.createDelegate(o, ensureUserSuccess),     Function.createDelegate(o, Fail) ); The above code fetches User Id for a given Login Name or Email Id. Interestingly, there is no equivalent endpoint available in REST! The Microsoft documentation talk about a endpoint but I could not get it working. So what is the way to get User Id using REST? You have to use the hidd

All about SharePoint List View Styles

Sometimes, there are out of the box features which we tend to ignore and later when we do apply, we are more than happy about the feature which is readily available in SharePoint. One such feature is List View Style. I never thought I would write a post on this. However, whenever I spoke about this with users, people were excited to see the result. That prompted me to write this post. Instead of getting into only theory part, I will basically take use cases where these styles can be applied and also touch up on on some minor limitations with certain style. When you are creating/modifying a List view, you will get an option to select View Style. As shown below, there are 8 options available and Default is always set if you ignore this style. List of View Styles I will take typical Contact List and Announcement List to explian about these styles. Let us go one by one. Default: This view, as name suggest, is the default style in a view. This is one of the widely seen style