Setting SharePoint Online permissions using SPFX and it's limitations

%3CLINGO-SUB%20id%3D%22lingo-sub-2105422%22%20slang%3D%22en-US%22%3ESetting%20SharePoint%20Online%20permissions%20using%20SPFX%20and%20it's%20limitations%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2105422%22%20slang%3D%22en-US%22%3E%3CP%3EI've%20been%20developing%20FX%20webparts%20and%20come%20up%20against%20an%20issue%20when%20trying%20to%20set%20permissions.%20I've%20realised%20and%20also%20been%20told%20that%20it's%20impossible%20for%20a%20user%20without%20Full%20Control%20permissions%20to%20change%20permissions%20on%20a%20securable%20(SPO%20list%20item%20or%20file).%20I've%20seen%20this%20first%20hand%20after%20many%20weeks%20of%20developing%20using%20the%20SPFX%20workbench%2C%20only%20to%20deploy%20a%20version%20to%20a%20real%20site%2C%20sign%20in%20as%20a%20user%20without%20Full%20Control%2C%20attempt%20to%20create%20a%20list%20item%20or%20file%20only%20for%20it%20to%20give%20back%20403%20errors%2C%20forbidden%20or%20access%20denied%20when%20the%20item%20is%20created%20and%20the%20pnp%2Fsp%20kicks%20in%20(for%20e.g.)%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-javascript%22%3E%3CCODE%3E%20const%20ReadroleDefinition%20%3D%20await%20sp.web.roleDefinitions.getByName(%22Read%22).get()%3B%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20await%20sp.web.lists.getByTitle('Attachments').items.getById(theId).breakRoleInheritance(true%2C%20true)%3B%0A%20%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20if(DeptContact)%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20await%20sp.web.lists.getByTitle('Attachments').items.getById(theId).roleAssignments.add(DeptContact%2C%20ReadroleDefinition.Id)%3B%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%7D%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EI%20elevated%20the%20users%20permissions%20incrementally%2C%20from%20Contribute%2C%20to%20Edit%2C%20to%20Design%2C%20none%20worked%20until%20finally%20I%20increased%20it%20to%20Full%20Control.%20This%20allowed%20the%20user%20to%20work%20with%20the%20form%20as%20normal.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20big%20problem%20this%20caused%20though%20was%20that%20user%20had%20full%20control.%20Which%20for%20the%20customer%20was%20far%20too%20much%20power!%26nbsp%3B%3CBR%20%2F%3EMy%20question%3A%3C%2FP%3E%3CP%3EIs%20there%20a%20way%20to%20create%20a%20webpart%2Fextension%20using%20pnp%2Fsp%20that%20can%20change%20permissions%20on%20an%20item%2Ffile%20without%20the%20user%20needing%20Full%20Control%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2105422%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EPnP%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESPFx%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Contributor

I've been developing SPFX webparts and come up against an issue when trying to set permissions. I knew that a user without Full Control permissions, cannot change permissions on a securable (SPO list item or file). This I foolishly realised, after many weeks of developing using the SPFX workbench, only to deploy a version to a real site, sign in as a user without Full Control, attempt to create a list item or file only for it to give back 403 errors, forbidden or access denied when the item is created and the pnp/sp kicks in (for e.g.):

 

 

 

 

 

 const ReadroleDefinition = await sp.web.roleDefinitions.getByName("Read").get();
                    await sp.web.lists.getByTitle('Attachments').items.getById(theId).breakRoleInheritance(true, true);
 
                    if(DeptContact){
                    await sp.web.lists.getByTitle('Attachments').items.getById(theId).roleAssignments.add(DeptContact, ReadroleDefinition.Id);
                     }

 

 

 

 

 



I elevated the users permissions incrementally, from Contribute, to Edit, to Design, none worked until finally I increased it to Full Control. This allowed the user to work with the form as normal. 

 

The big problem this caused though was that user had full control. Which for the customer was far too much power! 
My question:

Is there a way to create a webpart/extension using pnp/sp that can change permissions on an item/file without the user needing Full Control?

 

 

0 Replies