I'm currently using a SharePoint account as a Service account to get files and share them in an application I'm working on using CSOM. I filter the files according to the logged-in user to check if the user has no access to the file, then I hide it, to prevent him from trying to access it and get "Permission Denied" error.
So, I used ListItem.GetUserEffectivePermissions for this issue, but I need to grant the user only the permissions he needs to access and make that check.
I checked the official documentation of ListItem.GetUserEffectivePermissions here but unfortunately, I found no direct clue which permission does the job.
So to recap what this service account needs to do is :
1- Execute Search across all sharepoint files [SearchExecutor].
2- Get Login Name by Email using Utility.ResolvePrincipal (to be used in GetUserEffectivePermissions function).
3- Use GetUserEffectivePermissions to check if the logged-in User has permission to view the file.
I'd really appreciate your help as I'm kind of new to SharePoint and I searched a lot but found no clue about what I need.
I would recommend that you change your architectural approach. Instead of trying to manage what permissions a user has in SharePoint, let SharePoint take care of it like it already does. Instead, have your app use an OBO (On Behalf Of) token which will honor the logged on user's permissions in SharePoint and only return items that the user has access to. For a detailed overview of the OBO flow in MSAL, please refer to this article.
Related
I need to programmatically create an app in Azure AD and programmatically assign it permissions for Graph APIs. Somehow I am unable to find any good info on this. Please let me know if there is any good example of this.
I am able to create a basic app but not sure how to assign permissions to it.
I have a few basic queries:
Can we create an app and assign permissions at the same time? Or we need to first create app and then assign permissions?
How can I get a repository of all the possible permissions? Is there any way I can get a readable form of permissions and also its GUID representation?
Any C# example of this would be much appreciated.
PFB answer to your queries :
Can we create an app and assign permissions at the same time? Or we need to first create app and then assign permissions?
--> Yes you can create an app and assign permissions are the same time.
How can I get a repository of all the possible permissions? Is there any way I can get a readable form of permissions and also its GUID representation?
--> Here is the link for all the possible permissions :https://learn.microsoft.com/en-us/graph/permissions-reference
You can use Microsoft Graph explorer to execute queries and get the GUID representation.
Here is the link : https://developer.microsoft.com/en-us/graph/graph-explorer
You must first register an application in the Azure portal (or you must have an application first), and then grant the application permission or delegate permission to call MS graph api to create other applications, here is a detailed explanation Description.
Next, you can create other applications based on this application using C# code + MS graph api, and grant permissions to other applications (this is a separate operation, of course, you can also create an application and assign permissions at the same time).
At first you have to register your application in the Azure Active Directory.
Go to Azure Portal and navigate to the Azure AD -> App Registrations and create a new App.
In the Apps administration view, go to API-Permissions and click on "Add a permission". Now you can see all the available permissions you can grant to you application.
For some permissions (indicated by an orange warning sign) you have to grant admin consent afterwards.
After you have done those steps and you configured the redirect URLs (also in the Azure portal), you can access the data you have permissions from your application.
Note: You will also have to implement an authorization flow to make use of Microsoft Graph. You can find additional information here Microsoft Graph Authentication
I have successfully connected in google drive using apis.drive.v3 and also get the file details, then perform the actions like upload, download and delete as well.
Now the user wants to remove access of google drive from my application itself, without go to google accounts (Security - Apps with access to your account - remove access).
How to disconnect (what is the api call for remove access) from my application to clear the access token and refresh token in Google Accounts?
I found the solution for the issue, with the instruction given in below link
https://developers.google.com/identity/protocols/OAuth2WebServer#tokenrevoke
It resolves the requirement for me, advise if wrong...
You can use the credential to revoke the access the user has granted you.
credential.RevokeTokenAsync(CancellationToken.None);
I'm trying to use the Microsoft Graph api to check if the signed in user is in a group (I would use claims based authentication, but the number of claims that were returned is limited to 150 items, which is not enough when my user is in a lot of groups). The problem is, I'm signing into Microsoft's Active Directory, so I am definitely not an administrator and cannot approve services like letting my user look at the entire Microsoft directory.
However, this link and this link combined seem to suggest that I'll need some permissions that can ONLY be granted by the administrator to achieve functionality (to see groups I can already see elsewhere). So, it seems like it's impossible for me, as a lowly code monkey, to access the url:
https://graph.microsoft.com/beta/me/memberOf
with the permissions I can grant. Am I understanding this correctly and is there another way to do what I'm trying to do?
You are right, you do need to log in as admin to grant those permissions when using the Microsoft Graph API.
I've just tried on the older Azure AD Graph API. There it works, but I don't know whether my org has granted the older Graph Explorer app any special privileges.
Try out https://graphexplorer.azurewebsites.net/ and GET https://graph.windows.net/tenant/me/memberOf
So I have a few accounts that have documents on them, and having to switch between them all the time is quite frustrating, so I wanted to have them shared so that I can just have a link to view the file (no editing or anything).
Problem is, now with v3, I seemingly have to add the Drive API to every account that I want to view, which doesn't work for me. It's too much of a hassle to go through ALL of the accounts, when I have the username/password for them all already.
Is there a way to have a list of all my accounts username/passwords and somehow query to get a token to view only of the files? Or is this completely not possible anymore with v3.
I can get it working fine but instead of username/password, I have to enable drive API on the account, copy/paste the credential/secret instead of the username/password, and it works perfectly. I can search through all the files I have 'found' by accessing and reading the files and AlternateLink's accordingly... I just would like a non-intrusive way for my application to do this.
This is written in C#.
Unfortunately you can no longer use username/password via an API since the ClientLogin API was shutdown in 2015.
Using OAuth, each user can be prompted to grant permission to your application. They need do this only once.
Alternatively and if the user accounts are GSuite based Google accounts, then your C# program could use a single service account and impersonate any or all accounts on your domain (once given permission to do that by your domain administrator). This obviates the need for each user to grant permission to your application. You can read about how to do this in the Delegating domain-wide authority to the service account doco.
Another alternative may be to create a google group and make all 3 accounts members of that group. Then share a folder (view, comment or edit access) with that group and put all files and sub folders there into that folder.
I have a C# MVC web application that needs to make a copy of a google sheet (template) and set the copy to read/only for the current user while the template owner gets read/write to the copy.
Normally you would give the application itself an ID to do this type of function. I haven't figured out how to give an application its own ID and session ("User-1") independent from the current user ("User-2"). I don't want to give the read/only user the read/write password to make the copy of the template and I'd really prefer the copy happen outside of the current user's google login.
Your application is bound to a specific user by virtue of the OAuth Access Token it submits. So provided your app can retrieve an Access Token for User-2 (with an appropriate scope), then you're good to go.
Getting an access token for User-1
There are number of ways you can do this, depending on the volatility and security requirements of your app. Fundamentally it requires your web app to have a stored Refresh Token for User-1, which it can use at any time to silently fetch an Access Token. See How do I authorise an app (web or installed) without user intervention? (canonical ?) for more details.
.
Some of the terminology in your question needs a bit of straightening out.
"ID" - each application has its own ID when you register it on the developer console. It's refered to as a Client-ID which confused some people into thinking the ID is somehow related to the end user; it isn't.
"Session" - there is no session to Google Drive. There may be a session to Google, within which the OAuth flow will seek to identify the Google user in order to generate an access token for that user. But there is no "session" to Drive, which is why a Drive app can access as many Drive accounts as it likes, provided it has an access token for each one.