SharePoint托管应用程序：使用“管理”权限中断角色继承返回未授权 [英] SharePoint hosted app: Break Role Inheritance with 'Manage' right returns Unauthorized

问题描述

我有一个SharePoint托管的应用程序，我想打破应用程序页面中的列表项的角色继承（在租户站点中）。该应用有"管理"功能网络上的权利（租户和主机）。问题是列表项
上的中断角色继承返回401：未授权。

我已经简化了JavaScript代码并设法使用以下代码重新生成错误：

 
 $（document）.ready（function（）{
 var listID = getQueryStringParameter（'listId '）; 
 list = web.get_lists（）。getById（listID）; 
 context.load（list）; 
 context.executeQueryAsync（function（）{test（）;}，function （）{}）; 
}）; 
 function test（）{
 var item = list.getItemById（id）; 
 context.load（item，'RoleAssignments'）; 
 
 context.executeQueryAsync（function（）{
 alert（'succeeded'）; 
}，function（cr，crev）{
 alert（'failed：' + crev.get_message（））; //这里它返回拒绝访问。
}）; 
} 
 
 

哪个会失败，因为mesasge"拒绝访问"。您无权执行此操作或访问此资源"。 SharePoint在服务器上登录：

 
权限检查失败。要求0x4000000000000000，有0xb03c0312ef 
范围Microsoft.SharePoint.SPRoleAssignmentCollection._SerializeToJson发生异常。 Exception = System.UnauthorizedAccessException：尝试执行未经授权的操作。 
 at Microsoft.SharePoint.SPSecurableObject.CheckPermissions（SPBasePermissions permissionMask）
 at Microsoft.SharePoint.SPRoleAssignmentCollection.Init（）
 at Microsoft.SharePoint.SPBaseCollection.GetEnumerator（）
 at Microsoft .SharePoint.Client.ServerStub。< EnumerateChildItems> d__36.MoveNext（）
 at Microsoft.SharePoint.Client.ServerStub.WriteChildItems（JsonWriter writer，Object obj，ClientObjectQuery objectQuery，ProxyContext proxyContext）
 at Microsoft。 SharePoint.Client.ServerStub.WriteAsJson（JsonWriter writer，Object obj，ClientObjectQuery objectQuery，ProxyContext proxyContext）
 at Microsoft.SharePoint.Client.ServerStub.WriteAsJsonWithMonitoredScope（JsonWriter writer，Object value，ClientObjectQuery objectQuery，ProxyContext proxyContext）
 
 

检查Microsoft文章应用程序权限SharePoint 2013和SharePoint中的权限级别显示"管理"和"管理"。应用中的权利等于"设计"许可级别没有"枚举权限"基本权限默认为
。这是否意味着SharePoint应用无法修改网站上的权限？

更新：

如果我将应用权限更改为"完全控制"一切正常。

解决方案

管理权限应该有效。您能否提供您在应用中定义的应用权限。请确保您已获得列表的管理权限。

其他想法是你也可以使用仅适用于应用的政策。这已在此处描述。

http://blogs.msdn.com/b/kaevans/archive/2013/02/23/ sharepoint-2013-app-only-policy-made-easy.aspx

I have a SharePoint hosted app that I want to break the role inheritance of a list item in the app page (in tenant site). The app has "Manage" rights on the web (both tenant and host). The problem is that the break role inheritance on list item returns 401: Unauthorized.

I have simplified the JavaScript code and managed to regenerate the error with the following code:

$(document).ready(function () {
    var listID = getQueryStringParameter('listId');
    list = web.get_lists().getById(listID);
    context.load(list);
    context.executeQueryAsync(function () {test();},function(){});
});
function test() {
    var item = list.getItemById(id);
    context.load(item, 'RoleAssignments');

    context.executeQueryAsync(function () {
        alert('succeeded');
    }, function (cr,crev) {
        alert('failed: '+crev.get_message()); // here it returns Access denied.
    });
}

Which will fail with mesasge "Access denied. You do not have permission to perform this action or access this resource". SharePoint logs on the server:

Permission check failed. asking for 0x4000000000000000, have 0xb03c0312ef
Exception occured in scope Microsoft.SharePoint.SPRoleAssignmentCollection._SerializeToJson. Exception=System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
     at Microsoft.SharePoint.SPSecurableObject.CheckPermissions(SPBasePermissions permissionMask)
     at Microsoft.SharePoint.SPRoleAssignmentCollection.Init()
     at Microsoft.SharePoint.SPBaseCollection.GetEnumerator()
     at Microsoft.SharePoint.Client.ServerStub.<EnumerateChildItems>d__36.MoveNext()
     at Microsoft.SharePoint.Client.ServerStub.WriteChildItems(JsonWriter writer, Object obj, ClientObjectQuery objectQuery, ProxyContext proxyContext)
     at Microsoft.SharePoint.Client.ServerStub.WriteAsJson(JsonWriter writer, Object obj, ClientObjectQuery objectQuery, ProxyContext proxyContext)
     at Microsoft.SharePoint.Client.ServerStub.WriteAsJsonWithMonitoredScope(JsonWriter writer, Object value, ClientObjectQuery objectQuery, ProxyContext proxyContext)

Checking Microsoft article App permissions in SharePoint 2013 and permission levels in SharePoint shows that "Manage" right in apps is equal to "Design" permission level which does not have the "Enumerate Permissions" base permission by default. So does this mean that there is no way for a SharePoint app to modify permissions on a site?

Update:

If I change the app permissions to "Full Control" everything works fine.

解决方案

Manage permission should work. Can you please provide the app permission that you are defined in the app. Please ensure you have given manage permission to the list as well.

Other thought is you can use the app only policy as well. This has been described here.

http://blogs.msdn.com/b/kaevans/archive/2013/02/23/sharepoint-2013-app-only-policy-made-easy.aspx

这篇关于SharePoint托管应用程序：使用“管理”权限中断角色继承返回未授权的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！