5

When using the CSOM Microsoft.SharePoint.Client.Web.GetSubWebsForCurrentUser returns a 'security trimmed' collection of all sub webs that the current user has access to.

e.g.

string currentWeb = website.Title; // Just prove have access to root website

var subWebs = website.GetSubwebsForCurrentUser(null); 

clientContext.Load(subWebs);
clientContext.ExecuteQuery();

What could cause this method to throw an Access Denied exception (at ExecuteQuery) when the user DOES appear to have access to the main site and sub-sites. Isn't avoiding Access Denied the whole purpose of this method?

Ryan
  • 5,835
  • 8
  • 28
  • 54
  • 1
    But! I did fint this: "Properties: Id, Title, ServerRelativeUrl of SPWeb don't throw exception if no view permissions to SPWeb." here http://social.msdn.microsoft.com/Forums/sharepoint/en-US/90bb792f-915d-49c6-86f4-75ef687f85aa/security-trimming-problem-with-client-side-call-to-clientsvc?forum=sharepointdevelopment so I guess you would need to read another property than "Title" to make sure the user has access to the rootweb – Robert Lindgren Feb 26 '14 at 16:10
  • Bizarrely in my testing I've found cases where I can get ID, Title etc of SPWeb even when don't have access and others where I can only get ID - and I've no idea why... – Ryan Feb 26 '14 at 18:32
  • Can there be a difference if it is the RootWeb or not? Thinking that you have access to some more metadata on the root web than on subwebs – Robert Lindgren Feb 26 '14 at 18:35
  • Nice thought but no. Been mucking around for hours and can't find a common theme of when can get ID and when can get ID, Title etc. – Ryan Feb 26 '14 at 19:24

1 Answers1

3

I am using the CSOM model using oAuth/SharePoint app model.

Turns out the App Permission had been removed from a subsite (Site Settings > Site App Permissions). Whilst GetSubwebsForCurrentUser will trim out subwebs that the user doesn't have access to it will still throw an ServerUnauthorizedAccessException if there is a subweb that the App doesn't have access to.

In testing I could always still access Web.ID - e.g.

context.Load(subWebs, ws => ws.Include(w => w.Id));

(And for some sites could access .Title, .URL etc - but not all and can't find a common theme)

So to make this robust would have to get just the ID's of all subwebs we can access then separately load the subwebs, catching any ServerUnauthorizedAccessException

Ryan
  • 5,835
  • 8
  • 28
  • 54