Forum Discussion
MSTeams Graph API: user is getting private and shared channels which he is not a part of
The API in question:
https://learn.microsoft.com/en-us/graph/api/channel-list?view=graph-rest-1.0&tabs=http
As a user, I am getting the channels that I am not a part of listed. There is no flag that notifies me whether I am, or am not, a part of that channel. But, if I try to get the messages of that channel using
https://learn.microsoft.com/en-us/graph/api/channel-get?view=graph-rest-1.0&tabs=http
then I get 403 error - access forbidden.
The problem is, I don't want to have users see the channels on the channel list, if they are not a part of that channel, but there is no way for me to check if I am a member of that channel, except by sending the 'Get Channel' request for each private or shared channel, to see if I get 403 error.
Is this the expected Graph API behaviour, or not? Is there a way to overcome this issue I am facing?
3 Replies
- What permissions are you running with? An admin user will be able to see all channels, without having to be a member of the parent team. Similarly, an Owner of the Team would see all private channels associated with it, while still not be able to access data therein.
VasilMichev
Any response you might have?VasilMichev these are the permissions: Channel.ReadBasic.All ChannelMessage.Read.All ChannelMessage.Send Chat.ReadWrite Contacts.ReadWrite GroupMember.Read.All openid Presence.Read.All profile Team.ReadBasic.All User.Read.All email
I am not the Owner of the Team, I was added to it. I was added to some Private channels and then kicked out of them, but still getting them listed when fetching Channel list.
Maybe I'm missing something, but I don't see an issue with the permissions in my situation.
