User with full control permission to a document library got permission denied with add-pnpfile

[yzdoe]

Reporting an Issue or Missing Feature

Issue

Expected behavior

Add-PnpFile should successfully upload file to the specified folder

Actual behavior

Only if a user is an owner of the site add-pnpfile works. Even though the user is given full control to the document library.

Steps to reproduce behavior

Connect-PnPOnline -Url 'the_sharepoint_url' Add-PnPFile -Path test.txt -Folder 'the_document_library'

Which version of the PnP-PowerShell Cmdlets are you using?

• [ ] PnP PowerShell for SharePoint 2013
• [ ] PnP PowerShell for SharePoint 2016
• [X] PnP PowerShell for SharePoint Online

What is the version of the Cmdlet module you are running?

3.17.20

How did you install the PnP-PowerShell Cmdlets?

• [ ] MSI Installed downloaded from GitHub
• [X] Installed through the PowerShell Gallery with Install-Module
• [ ] Other means

one user who is an owner of the site, pnp-addfile works, the owner's permission on the document library is as follows:

the other user who has identical permission on the document library got permission denied when using add-pnpfile:

[ghost]

Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.

[jackpoz]

The way Add-PnPFile is implemented requires to iterate over the RootFolders of the Siteto find the one specified in the -Folder parameter. What permissions does the user have at Site level ? Could you try granting incremental permissions (Read, Contribute, etc) at Site level ?

[yzdoe]

At site level, the user has 'Edit, Limited Access'.

Since the user has 'Edit' permission already, I don't know what other permission than 'Full Control' I can try. I know 'Full Control' at site level will work, but that seems too much for just copying files to one specific document library. I want to find the minimum permission level for using add-pnpfile to one specific document library.

[yzdoe]

OK, I checked what 'Edit' permission means: the following is what I got. So for 'List Permissions' (I think that's the only section relevant), only 'Override List Behaviors' and 'Approve items' are missing.

[yzdoe]

Also, even though the user can not use 'add-pnpfile' to copy a file but they can use web browser to upload a file to the document library. Shouldn't the two ways be consistent? If a user can upload a file through web browser, they should be add a file through add-pnpfile?

[jackpoz]

One possible workaround until this issue is fixed is to get the folder with

$folder = Get-PnPFolder $libraryName

of type Microsoft.SharePoint.Client.Folder and then use CSOM to upload the file.

[jackpoz]

I created a PR at https://github.com/SharePoint/PnP-PowerShell/pull/2478 . It's definitely not perfect as it still throws an "Access Denied" error if the specified Subfolder in the Library doesn't exist, but at least files get uploaded without any error using your How To Reproduce steps.

[yzdoe]

Thanks, subfolder is not an issue, user can create subfolders without problem in existing document library as long as they have edit permission. They can't create document library, the top folder, without proper site wide permission, but that's expected.

[yzdoe]

@jackpoz Don't know why your PR 2478 didn't get this "status:checked and ready for merge" sticker. A couple of newer PRs got that already. Looks like it won't be in the next release?

[jackpoz]

It takes time to review and merge PRs, maybe it will be in next or the one after.

Did you have time to test locally that PR ? Did it fix the issue/improve it ?

[yzdoe]

This is a work related issue and I don't have Visual Studio compiler at work. I will find out if there is any free compiler so that I can test.

[yzdoe]

@jackpoz I merged recent dev version of this repository to your pull request branch, and it works fine.

[jackpoz]

Glad to hear :) maybe write your feedback in the PR too, it will help the PnP team decide when to merge it :)

[yzdoe]

Commented under the pull request. Thanks for the fix.