Open jbartolome opened 7 years ago
Hi,
Yesterday, one of our clients reported an issue with a Provider-Hosted App we had developped last year.
The issue is very similar: the app crashes approximatively 80% of the time we try to use it, and the troubleshooting lead us to the method we use to retrieve the user's properties:
SharePointContext spContext = SharePointContextProvider.Current.GetSharePointContext(Context);
using (ClientContext clientContext = spContext.CreateUserClientContextForSPHost())
{
Web web = clientContext.Web;
clientContext.Load(web);
clientContext.ExecuteQuery();
try
{
PeopleManager peopleManager = new PeopleManager(clientContext);
PersonProperties personProperties = peopleManager.GetPropertiesFor(loginName);
clientContext.Load(personProperties);
clientContext.ExecuteQuery();
return personProperties;
}
catch (Exception ex)
{
Response.AppendToLog(ex.StackTrace);
return null;
}
}
The error we got is the same as well:
You do not have permission to perform this action or access this resource.
I know that posting this will not help solving the issue. However, since this App has been working for several months and until a few days ago (at most), it felt relevant to report, since this may not be an issue for the PnP sample only.
@Syel - It's great knowing that I'm not alone in this and I'm certain many of us who use this method would appreciate any type of insight for this. I actually have been using this method for not only the sample, but also in another SharePoint Online provider-hosted app using low-trust authentication. Both the sample code provided by the PnP and our provider-hosted app received the same error until I made the corrections on the AppManifest.xml file and the AppPermissions
to scope to FullControl
for the tenant and tenant/social (the UserProfiles
).
I'm going to keep testing out various combinations in permissions because I do not like the thought of giving our Add-in FullControl
of the tenant.
@jbartolome did you ever get any up on this? I was trying the Provisioning.SiteCreation sample and am in the same boat. It is like the TokenHelper is not getting a valid token?
@lousimonetti @jbartolome. We are facing the same issue ([ServerUnauthorizedAccessException: Access denied. You do not have permission to perform this action or access this resource.]). I've even extended permissions to Tenant = Read, and today error appeared again. I will add only that my Provided Hosted Add-In is working 99% time fine, but sometimes, without any reasons, the error come back. Did you find any workaround how to fix it?
We are running into this same issue with an app that is in production and working, We are doing some bug fixes and additions and in the development environment are getting access denied when trying to execute the below with an app only context, Based on the comments above this seems to have been deprecated but can someone provide me with an official MS Post stating that.
PeopleManager peopleManager = new PeopleManager(ctx);
PersonProperties personProperties = peopleManager.GetPropertiesFor(currentUser.LoginName);
ctx.Load(personProperties, p => p.AccountName, p => p.UserProfileProperties);
ctx.ExecuteQuery();
@VesaJuvonen help us ob1 you are the only one that can
I'm having a similar issue; however, in my case I'm using an app-only client context (spContext.CreateAppOnlyClientContextForSPHost()
). Does the type of client context object matter (meaning: app-only versus user) with respect to pulling user profile properties (assuming the add-in has the Read
permission on the http://sharepoint/social/tenant
scope)?
Looking at @jbartolome's original post, the referenced code sample uses a user client context. According to this documentation, it would seem that getting user profile properties using an app client context just isn't supported anymore?
AllowAppOnlyPolicy does not work with...User Profile CSOM operations...
Category
[x] Bug
Environment
[x] Office 365 / SharePoint Online
Expected or Desired Behavior
I attempted to run the following SharePoint PnP Sample found here: https://github.com/SharePoint/PnP/tree/master/Samples/UserProfile.Manipulation.CSOM
I specifically was interested in the expected/desired behavior to retrieve the user profile information when clicking the button for CodeSample1.aspx.
Observed Behavior
I had success one-time in outputting the list of user profile properties, however, upon subsequent debugging attempts, I get the following error when executing the line containing "clientContext.ExecuteQuery();":
I made sure to update the AppManifest.xml file with the appropriate permissions for the add-in to "Write" to the User Profiles (Social) of the tenant, so it looked like this in code:
With some research, I discovered that there is a new development pattern for using Tenant permissions for App-Only SharePoint Add-in's. I followed the steps found here: Developing using Tenant permissions with App-Only in SharePoint Online
Registering the add-in was a great exercise, however, I was still encountering the error on the line for "clientContext.ExecuteQuery();". I realized that this was still a permission issue and I had to assign the add-in with the appropriate permissions. I was able to get it to work by modifying the AppManifest.xml file with the following:
Now, my next goal is to reduce the amount of permissions such that it is sufficient for the add-in. I have not yet tried this, but I wanted to share my findings with others who are using a low-trust authorization for SharePoint provider-hosted add-in's (or apps) and are running into this issue. I believe that the permission request that was truly needed falls under the "/content/tenant" section, however, more testing needs to be done on this.
Any feedback on this approach and/or why this was not mentioned in the sample code is greatly appreciated!
Steps to Reproduce
I am using a development environment to debug the application on SharePoint Online. The steps that I followed were basically found in the sample found in Step 1.
The add-in may run successfully a couple of times then suddenly fail upon the "clientContext.ExecuteQuery();" call.