search

pnp / pnpcore

The PnP Core SDK is a modern .NET SDK designed to work for Microsoft 365. It provides a unified object model for working with SharePoint Online and Teams which is agnostic to the underlying API's being called
https://aka.ms/pnp/coresdk/docs
MIT License
309 stars 194 forks source link

Write permission is required to read SharePoint folders #1583

Open ianleeder opened 17 hours ago

ianleeder commented 17 hours ago

Category

Describe the bug

I'm not sure if this will be a PnP bug, or a SharePoint API. But if I attempt to list folders using an App Registration that only has permission Sites.Read.All I get the following 403 error:

2024-11-27 14:22:01.5375|Error|SharePoint.SharePointServiceLayer.Test|Unhandled exception! |HttpResponseCode: 403
Code: System.UnauthorizedAccessException
Message: Access denied.
ClientRequestId: 0bdd67a1-4050-4000-307d-ec5f4dbc24ae
SPClientServiceRequestDuration: 15
X-SharePointHealthScore: 1
X-SP-SERVERSTATE: ReadOnly=0

PnP.Core.SharePointRestServiceException: SharePoint Rest service exception
   at PnP.Core.Services.BatchClient.ExecuteSharePointRestInteractiveAsync(Batch batch)
   at PnP.Core.Services.BatchClient.ExecuteSharePointRestBatchAsync(Batch batch)
   at PnP.Core.Services.BatchClient.ExecuteBatch(Batch batch)
   at PnP.Core.Services.PnPContext.ExecuteAsync(Boolean throwOnError)
   at PnP.Core.QueryModel.DataModelQueryService`1.ExecuteQueryAsync(Type expressionType, ODataQuery`1 query, CancellationToken token)
   at PnP.Core.QueryModel.BaseQueryProvider.GetAsyncEnumerable[TResult](Expression expression, CancellationToken token)+MoveNext()
   at PnP.Core.QueryModel.BaseQueryProvider.GetAsyncEnumerable[TResult](Expression expression, CancellationToken token)+System.Threading.Tasks.Sources.IValueTaskSource<System.Boolean>.GetResult()
   at PnP.Core.QueryModel.QueryableExtensions.ToListAsync[TSource](IQueryable`1 source, CancellationToken cancellationToken)
   at PnP.Core.QueryModel.QueryableExtensions.ToListAsync[TSource](IQueryable`1 source, CancellationToken cancellationToken)
   at SharePoint.SharePointServiceLayer.ListFiles() in /workspace/src/SharePoint/SharePointServiceLayer.cs:line 60
   at SharePoint.SharePointServiceLayer.Test() in /workspace/src/SharePoint/SharePointServiceLayer.cs:line 22

Reading lists with read-only works fine, and reading folders with read-write works.

Sites.Read.All Sites.ReadWrite.All
var lists = await context.Web.Lists.ToListAsync();
var folders = await context.Web.Folders.ToListAsync();

Steps to reproduce

  1. Use a certificate to authenticate to an App Registration
  2. Grant the App Registration the SharePoint permission Sites.Read.All
  3. Run the following code snippet: 
    var folders = await context.Web.Folders.ToListAsync();

Expected behavior

Given that I am only reading folders from SharePoint, I expect to be able to do this with read-only permission. If this is not possible for some technical reason, I expect that it is clearly and boldly indicated in the documentation, and in the exception.

Environment details (development & target environment)

ianleeder commented 13 hours ago

I'm still trying to wrap my head around the SDK and the models, and I may have misunderstood Folders. But I still don't think I should be getting a 403 when reading with read-only access.