search

SharePoint / sp-dev-docs

SharePoint & Viva Connections Developer Documentation
https://docs.microsoft.com/en-us/sharepoint/dev/
Creative Commons Attribution 4.0 International
1.24k stars 1.01k forks source link

createDefaultAssociatedGroups throws exception for modern sites #6760

Open nbelyh opened 3 years ago

nbelyh commented 3 years ago

Category

Describe the bug

Summary The SharePoint REST API method createDefaultAssociatedGroups throws exception "Access Denied" for modern sites (if the setting "No Script Site" is set to true, which is the default).

This is a duplicate of https://github.com/pnp/pnpjs/issues/1575, please kindly read the discussion there before closing this one. It's not about pnp-js, it's about core share point API, reproducible with any client library (powershell, pnp, csom). I'm highlighting this because the previous issue has been closed as unrelated, and I have been told it's okay to create another one with proper example in REST API, so here it is basically.

Steps to reproduce (REST API)

#### create  a site
POST /_api/web/webs/add 
{"parameters":{
    "__metadata":{"type":"SP.WebCreationInformation"},
    "Url":"child",
    "Title":"My Site",
    "Description":"My Description",
    "Language":1033,
    "UseSamePermissionsAsParentSite":false,
    "WebTemplate":"STS#3"
    }
}

#### create default groups
POST /child/_api/web/createDefaultAssociatedGroups(userLogin='',userLogin2='',groupNameSeed='')  <<< 403 here

Basically, the issue is that the call to createDefaultAssociatedGroups results in 403: Access denied for farm admin. Important notice: If you allow custom scripts (???), the call works.

The CSOM calls also behaves the same way:

Web newWeb = ctx.Web.CreateWeb("My Site", "child", "My Description", "STS#3", 1033, false);
ctx.ExecuteQuery();
newWeb.CreateDefaultAssociatedGroups("", "", "");
ctx.ExecuteQuery();  // <<< 403 here

For the pnp-js example please check the linked issue.

Expected behavior

The call to create default groups for a site works regardless of the scripting setting. For the farm (global) admin, at least.

If you do it from UI manually (using /_layouts/permsetup.aspx page) then it works regardless of the "custom scripts" setting.

Environment details (development & target environment)

Additional information

Related issue on stackoverflow (for CSOM access) https://sharepoint.stackexchange.com/questions/240933/why-would-createdefaultassociatedgroups-stop-to-serverunauthorizedaccessexceptio

ghost commented 3 years ago

Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.