sp-dev-docs icon indicating copy to clipboard operation
sp-dev-docs copied to clipboard

Published 20 hours ago verified publisher icon SharePoint

Is that 'Sites. Selected' permissions level allows the SharePoint online global search?

Open Harmeet94Singh opened this issue 2 years ago • 7 comments

Target SharePoint environment

SharePoint Online

What SharePoint development model, framework, SDK or API is this about?

💥 SharePoint Framework

Developer environment

None

What browser(s) / client(s) have you tested

  • [ ] 💥 Internet Explorer
  • [ ] 💥 Microsoft Edge
  • [ ] 💥 Google Chrome
  • [ ] 💥 FireFox
  • [ ] 💥 Safari
  • [ ] mobile (iOS/iPadOS)
  • [ ] mobile (Android)
  • [ ] not applicable
  • [ ] other (enter in the "Additional environment details" area below)

Additional environment details

[- browser version

  • SPFx version
  • Node.js version
  • etc ]

Describe the bug / error

I want to execute SharePoint search API with granular access for that I've changed 'Sites.ReadWrite.All' permission to 'Sites.Selected' permission, so that application would have all sites access but during search I'm getting unauthorize error

{"odata.error":{"code":"-1, Microsoft.Office.Server.Search.REST.SearchServiceException","message":{"lang":"en-US","value":"Unauthorized."}}}

Also tried to give sites.selected permission at tenant level, that also not works, if the only solution is to give 'Sites.ReadWrite.All' or 'Sites.Read' then there is no use of granular level access implementation Sites.Read.all will allow all sites if granted.

My query is similar to below -: [https://tenant.sharepoint.com/_api/search/query?querytext='+AND+(Path](https://tenant.sharepoint.com/_api/search/query?querytext=%27+AND+(Path):"https://tenant.sharepoint.com/sites/SITE1/RECORDS" OR Path:"https://tenant.sharepoint.com/sites/SITE2/RECORDS")'&trimDuplicates=false&selectProperties='Column1,Column2'&refiners='Column1OWSTEXT'&refinementFilters='Column1:equals("xxxxx")'&rowLimit=5

Some other references regarding my question. https://sharepoint.stackexchange.com/questions/306397/how-to-use-sharepoint-search-query-with-sharep... https://sharepoint.stackexchange.com/questions/306432/is-that-sites-selected-permissions-level-allow...

https://techcommunity.microsoft.com/t5/sharepoint-developer/how-to-use-sharepoint-search-query-with-sharepoint-granular/m-p/3751381#M12271

Really appreciate any response on this or alternative approach to to achieve this.

Steps to reproduce

We have an Azure function that queries/creates/updates SPO DocumentLibraries. We earlier had 'Sites.ReadWrite.All' and 'Files.ReadWrite.All' permission to the Azure function service-prinicpal (SP), and as part of best practices switched it to 'Sites.Selected' permission. With this new configuration the creates/updates are working, however the SharePoint search query api's (_api/search/query) is failing. Doesn't the 'Sites.Selected' configuration work for search query api's? Is provisioning 'Sites.Read.All' only available alternative? (Which makes the app less secure).

Note: The search query is limited to specific documentLibraries by using path filter, these are configured as part of 'Sites.Selected' configuration.

https://tenant.sharepoint.com/_api/search/query?querytext='*+AND+(Path:"https://tenant.sharepoint.com/sites/SITE1/RECORDS" OR Path:"https://tenant.sharepoint.com/sites/SITE2/RECORDS")'&trimDuplicates=false&selectProperties='Column1,Column2'&refiners='Column1OWSTEXT'&refinementFilters='Column1:equals("xxxxx")'&rowLimit=5 Updated 21/02: With 'sites.Selected' the search queries are throwing 'unauthorized exception'.

Expected behavior

With sites.selected , it should allow the search which is not working currently.

Harmeet94Singh avatar Mar 01 '23 15:03 Harmeet94Singh

Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.

ghost avatar Mar 01 '23 15:03 ghost

As far as I know, apps can't use SharePoint search (because there is no user context). https://github.com/SharePoint/sp-dev-docs/issues/8436

You would need to use the graph API in your backend scenario https://learn.microsoft.com/en-us/graph/search-concept-files

smolattack avatar Mar 02 '23 14:03 smolattack

We are already using SharePoint API's , it is working fine it is failing only this scenario when we are doing search https://tenant.sharepoint.com/_api/search/query?querytext='*+AND+(Path:"https://tenant.sharepoint.com/sites/SITE1/RECORDS" OR Path:"https://tenant.sharepoint.com/sites/SITE2/RECORDS")'&trimDuplicates=false&selectProperties='Column1,Column2'&refiners='Column1OWSTEXT'&refinementFilters='Column1:equals("xxxxx")'&rowLimit=5

OR

https://tenant.sharepoint.com/sites/site2/_api/search/query?querytext='*'

Harmeet94Singh avatar Mar 02 '23 17:03 Harmeet94Singh

any update please

Harmeet94Singh avatar Mar 15 '23 17:03 Harmeet94Singh

Just wanted to add that I'm trying the same or very similar setup and running into the same/similar issue.

We have an Azure App with the Sharepoint.Sites.Selected Application permission applied and when we try to use the SharePoint Search API (_api/search/query) endpoint the request fails with:

    body: {
      "odata.error": {
        "code": "-1, Microsoft.Office.Server.Search.REST.SearchServiceException",
        "message": {
          "lang": "en-US",
          "value": "No User or App Context found"
        }
      }
    }

Other REST API calls to the selected site work (e.g., to _api/web/lists/GetByTitle.

As a concrete example, a REST API call using the following parameters fails:

// Failing call
{
   uri: "https://{{tenant}}.sharepoint.com/sites/{{siteName}}/_api/search/query?querytext='sharepoint'",
   method: 'GET',
   headers: {
     Authorization: "Bearer " + token
   },
   json: true
}

Here {{tenant}} is our tenant name, and {{siteName}} is the name of the site we've given our app access to via the MS Graph API.

Using the same token on the same site however works when making this call:

// Successful call
{
   uri: "https://{{tenant}}.sharepoint.com/sites/{{siteName}}/_api/web/lists/GetByTitle('Documents')",
   method: 'GET',
   headers: {
     Authorization: "Bearer " + token
   },
   json: true
}

If I revoke the permission via the Graph API, then the above call starts returning a 403 as expected.

It almost seems like Sharepoint.Sites.Selected doesn't work with the search API but I haven't been able to find anything definitive saying whether this is expected or a bug. We're using Application permissions with certificate authentication. The search API call works fine if we switch permissions to Sharepoint.Sites.Read.All but this is not something we can do in production.

Here are the general instructions we've followed: https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins-modernize/understanding-rsc-for-msgraph-and-sharepoint-online

In addition, we tested with the graph API rather than the Sharepoint API and we run into the same issue (Graph API calls except for search/query work).

sarus avatar Dec 21 '23 05:12 sarus

I am struggling with the same issue. We cannot grant Sites.Read.All. Therefore we use Sites.Selected. But in this case I receive: "No User or App Context found".

DeLuca-Marco avatar Mar 21 '24 14:03 DeLuca-Marco