SPoL: Does user have Full Control, Edit or Read permissions?

%3CLINGO-SUB%20id%3D%22lingo-sub-1242302%22%20slang%3D%22en-US%22%3ESPoL%3A%20Does%20user%20have%20Full%20Control%2C%20Edit%20or%20Read%20permissions%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1242302%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%26nbsp%3B%20We%20are%20trying%20to%20write%20a%20function%20for%20an%20add-in%20that%20determines%20if%20the%20currently%20logged%20in%20SP%20Online%20user%20has%20Full%20Control%20Permission%20Level%2C%20Edit%20or%20Read.%26nbsp%3B%20It%20seems%20to%20be%20more%20difficult%20than%20anticipated%20so%20perhaps%20we're%20missing%20something.%26nbsp%3B%20We%20currently%20make%20API%20calls%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%3E%3CSPAN%3E%25s%2F_api%2FWeb%2FAssociatedOwnerGroup%20%3CBR%20%2F%3EOR%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%3E%25s%2F_api%2FWeb%2FAssociatedMemberGroup%3C%2FSPAN%3E%26nbsp%3B%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20that%20works%20if%20the%20user%20in%20not%20a%20%22modern%20authentication%22%20user.%26nbsp%3B%20Meaning%2C%20if%20the%20user%20is%20in%20an%20AAD%20or%20O365%20Group%2C%20and%20that%20group%20is%20given%20direct%20permission%20to%20the%20site%2C%20the%20above%20API's%20don't%20return%20those%20users%2C%20just%20the%20AAD%2FO365%20group.%26nbsp%3B%20Then%20we%20start%20making%20graph%20API%20calls%20and%20not%20all%20of%20them%20return%20the%20users%20email%20which%20sets%20us%20up%20for%20more%20API%20calls.%26nbsp%3B%20This%20is%20getting%20expensive!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe're%20also%20attempting%20to%20decipher%20the%20high%2Flow%20bit%20mask%20returned%20by%20the%20effectiveBasePermission%20API%20call.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAre%20we%20missing%20something%3F%26nbsp%3B%20Is%20there%20an%20easier%20way%20to%20determine%20if%20an%20authenticated%20Sharepoint%20user%20has%20Full%20Control%2C%20Read%20or%20Edit%20Permission%20Level%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESharon%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1242302%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAPIs%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EDeveloper%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Contributor

Hi,  We are trying to write a function for an add-in that determines if the currently logged in SP Online user has Full Control Permission Level, Edit or Read.  It seems to be more difficult than anticipated so perhaps we're missing something.  We currently make API calls:

 

%s/_api/Web/AssociatedOwnerGroup 
OR
%s/_api/Web/AssociatedMemberGroup 

 

And that works if the user in not a "modern authentication" user.  Meaning, if the user is in an AAD or O365 Group, and that group is given direct permission to the site, the above API's don't return those users, just the AAD/O365 group.  Then we start making graph API calls and not all of them return the users email which sets us up for more API calls.  This is getting expensive!

 

We're also attempting to decipher the high/low bit mask returned by the effectiveBasePermission API call. 

 

Are we missing something?  Is there an easier way to determine if an authenticated Sharepoint user has Full Control, Read or Edit Permission Level?

 

Thanks!

 

Sharon

0 Replies