Bo is a Principal Consultant for ThreeWill. He has 18 years of full lifecycle software development experience.
How to get a users’ effective permissions on a SharePoint List
I’d like to share the most recent challenge I encountered and how I solved it to save you some of the grey hairs I acquired.
If you’ve been a SharePoint developer or user for more than 15 minutes you know there are always multiple ways to achieve something. This is true in the UI and it is true with the REST API. A successful SharePoint developer is one who lives the mantra “if at first you don’t succeed, try try again”.
I’m developing an SPFx web part and began layering support to properly respect list-based security. Essentially, there are some lists that will be secured to a subset of individuals and the custom UI needed to respect these permissions to security trim controls appropriately. Of course, since this is client side I’m using the REST API or more specifically the fluent libraries in PnPjs.
Initially, I was using this method to get the current users’ effective permissions.
let perms = await sp.web.lists.getByTitle(listTitle).getCurrentUserEffectivePermissions()
Which generated this REST call:
https://bothreewill.sharepoint.com/sites/ChickfilaDev/_api/web/lists/getByTitle('Projects')/getUserEffectivePermissions(@user)?@user=%27i%3A0%23.f%7Cmembership%7Cbgeorge_threewill.com%23ext%23%40bothreewill.onmicrosoft.com%27
As I was going through testing cycles I was breaking, manipulating and re-inheriting permissions on my SharePoint lists and eventually began getting 403 Access Denied errors occurring for my Guest User accounts on that API. They’d worked and then they didn’t. My tenant based users seemed to be unaffected and Guests were sometimes okay.
If there is a bug I hate, it’s a random one that comes and goes. I had to find a solution. I ended up finding this issue and ensuing conversation that got the wheels turning. In my research I’d also seen this old C# code example on working with permissions and I put two and two together and decided to take a different approach.
I ended up changing to using this method to get the current users’ effective permissions.
let perms = await sp.web.lists.getByTitle(listTitle).effectiveBasePermissions.get()
Which generated this REST call:
https://bothreewill.sharepoint.com/sites/ChickfilaDev/_api/web/lists/getByTitle('Projects')/EffectiveBasePermissions
And… Drum roll… It always worked as I expected, no matter the type of user or permission changes I made. I appreciate that sort of consistency.
Hopefully, this can help someone else who may find themselves in a similar conundrum.