Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GetUserEffectivePermissions not working with External accounts #1350

Closed
1 task done
FlorianLabranche opened this issue Jan 16, 2024 · 5 comments
Closed
1 task done
Assignees
Labels
area: model 📐 Related to the core SDK models question Further information is requested

Comments

@FlorianLabranche
Copy link

FlorianLabranche commented Jan 16, 2024

Category

  • Bug

Describe the bug

Working in a SharePoint tenant (@contosodev.com) with External users from a second tenant (@contoso.com).
When I use GetUserEffectivePermissionsAsync() with an External user, I get 0 as High and Low permission mask.

Steps to reproduce

All requests are executed on tenant contosodev.sharepoint.com

  1. Using External User primary UPN (florian.labranche@contoso.com)

    • I can get the user using EnsureUserAsync("florian.labranche@contoso.com")
      image
    • But when I request GetUserEffectivePermissionsAsync("florian.labranche@contoso.com") I got 0 as High and 0 as low :
      image
  2. Using External User UPN (florian.labranche_contoso.com#ext#@contosodev.onmicrosoft.com)

    • When I request GetUserEffectivePermissionsAsync("florian.labranche_contoso.com#ext#@contosodev.onmicrosoft.com") I have the following error:
      The expression "web/getusereffectivepermissions('i:0#.f|membership|florian.labranche_contoso.com" is not valid.

Expected behavior

  • GetUserEffectivePermissionsAsync should work using either upn from principal account (florian.labranche@contoso.com) or using the UserPrincipalName returned from EnsureUserAsync("florian.labranche@contoso.com") => "florian.labranche_contoso.com#ext#@contosodev.onmicrosoft.com".
  • Response should contain valid High and Low permission mask.

Environment details (development & target environment)

  • SDK version: 1.10 and 1.11
  • OS: Windows 10
  • SDK used in: Azure function apps
  • Framework: .NET 6
@jansenbe
Copy link
Contributor

@FlorianLabranche : did you verify if calling the _api/web/getusereffectivepermissions(user UPN | User ID) does work for external accounts?

@jansenbe jansenbe self-assigned this Jan 18, 2024
@jansenbe jansenbe added area: model 📐 Related to the core SDK models question Further information is requested labels Jan 18, 2024
@FlorianLabranche
Copy link
Author

FlorianLabranche commented Jan 18, 2024

@jansenbe : I just tried SP API.

  • Using florian.labranche@contoso.com (address from main tenant), it returns
    The user does not exist or is not unique.
  • Using florian.labranche_contoso.com#ext#@contosodev.onmicrosoft.com (External UPN) returns
    The expression "web/getusereffectivepermissions('florian.labranche_contoso.com" is not valid.
    Expression seems truncated, so I tried encoding the "#" but, again it returns The user does not exist or is not unique.

But I tried using the SP LoginName i:0#.f|membership|florian.labranche_contoso.com#ext#@contosodev.onmicrosoft.com encoded and it returns me the high and low permission masks.
image

I looked into your code and saw that you build the SP LoginName but the UPN is not encoded.
image

I finally tested by encoding the UPN when calling GetUserEffectivePermissionsAsync() and it works.

var user = await PnPContext.Web.EnsureUserAsync("florian.labranche@contoso.com");
await PnPContext.Web.GetUserEffectivePermissionsAsync(HttpUtility.UrlEncode(user.UserPrincipalName))

Note: UPN is the External one with #EXT#. Those '#' are the cause of the issue.

Conclusion:
I have a working fix on my side but I don't know if UPN should be encoded in PnPCore method or if PnPCore should call EnsureUser() to get the "true" UPN and then encode it.

@jansenbe
Copy link
Contributor

@FlorianLabranche : I've implemented a fix, now using the UPN value for external users works directly with the method:

var basePermissions = await context.Web.GetUserEffectivePermissionsAsync("bert_contoso.com#ext#@fabrikam.onmicrosoft.com");

@jansenbe
Copy link
Contributor

Will appear in the next nightly, closing this issue now

@FlorianLabranche
Copy link
Author

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area: model 📐 Related to the core SDK models question Further information is requested
Projects
None yet
Development

No branches or pull requests

2 participants