Geeks With Blogs
SharePoint Wiki! Sharing is gaining...

As we all start working on apps with SharePoint 2013 it becomes very critical to know how permissions with apps work. 

Firstly, we need to know that both the app and the user need permissions to perform operations spec'd for the app. It wouldn't really matter if I was a Site Admin and tried to write to a list using an App if the app itself didn't have adequate permissions and vice versa. 

Basically the app is making a call into SharePoint by providing the OAuth access token.  SharePoint sees that no user credentials were provided in the request and an OAuth access token is present.  When acting on behalf of a user, the token will include user information, so the context will be the App+User context.

Can I use RunWithElevatedPrivileges with Apps?

So many developers use it but don’t quite understand what the API is doing but that is a different discussion... The answer is NO!

The new app model does away with this impersonation confusion and makes things quite a bit more straightforward because there is no impersonation capability in the API. No the question arises: how do we use the new app model to perform actions when the user doesn’t have permission?  The answer is the App Only Policy. 

Our new scenario of an app performing work that the user does not have permission to means we will use the app only policy.  An OAuth access token is present, and this time the token does not contain user information.  In this case, we are solely evaluating permissions based on the permission of the app and not on the user. The first step is to request permission to use the app only policy in your app manifest by adding the AllowAppOnlyPolicy attribute to the AppPermissionRequests node with a value of true.

This capability is only available to provider-hosted and Azure auto-hosted apps.  It is not available to SharePoint-hosted apps.  In a SharePoint-hosted app, there is necessarily always an app+user context. 

S2S - App Only Context 

Creating a provider-hosted app that leverages only policy using S2S is actually very easy.  The first step is to make sure that you add the AllowAppOnlyPolicy attribute in the app manifest.  The next step is to use the TokenHelper::GetS2SAccessTokenWithWindowsIdentity method, passing a null for the WindowsIdentity parameter.

string appOnlyAccessToken = 

   TokenHelper.GetS2SAccessTokenWithWindowsIdentity(_hostWeb, null);

If the app manifest has the AllowAppOnlyPolicy attribute set to true, this call will succeed and return a valid OAuth access token that does not contain user information.  Once you have the access token, then you can use the TokenHelper::GetClientContextWithAccessToken method to obtain a CSOM client context.

using (ClientContext clientContext = 

    TokenHelper.GetClientContextWithAccessToken(_hostWeb.ToString(), appOnlyAccessToken))

{

    List list = clientContext.Web.Lists.GetByTitle("Announcements");

    ListItemCreationInformation info = new ListItemCreationInformation();

    Microsoft.SharePoint.Client.ListItem item = list.AddItem(info);

    item["Title"] = "Created from CSOM";

    item["Body"] = "Created from CSOM " + DateTime.Now.ToLongTimeString();


    item.Update();

    clientContext.Load(item);

    clientContext.ExecuteQuery();

}

To test this, deploy the app and then log on as a user that only has read permission to the list.  Execute the code, and a new item is created even though the user does not have permission to create items in the list.  The Created By and Modified By fields in the list will reflect that it was only the app’s permissions that were used to create the item.

If we had included a user identity (as the code generated by Visual Studio does by default), then the created by and modified by fields would look a little different, showing that code was executed on behalf of an individual.

ACS - App Only Context

Creating an app-only context with a provider-hosted app using a trust to ACS is just slightly more involved.  A trust to ACS is automatically established when you create your O365 tenant.  If you are self-hosting your SharePoint farm, then a trust to ACS can be established between your SharePoint farm and ACS.

We use a similar approach as before, but this time we need to extract the context token string and validate the token in order to retrieve information such as the authentication realm.  Provided this information, we can now request an app-only token using TokenHelper::GetAppOnlyAccessToken.  Once we have the access token, we can now obtain the client context using TokenHelper::GetClientContextWithAccessToken.

string _hostWeb = new Uri(Request.QueryString["SPHostUrl"]);

string _contextTokenString = TokenHelper.GetContextTokenFromRequest(Page.Request);

//Get context token.

SharePointContextToken contextToken =

    TokenHelper.ReadAndValidateContextToken_contextTokenString, Request.Url.Authority);

//Get app only access token.

string appOnlyAccessToken = 

    TokenHelper.GetAppOnlyAccessToken(contextToken.TargetPrincipalName, 

            _hostWeb.Authority, contextToken.Realm).AccessToken;

Response.Write("<h2>Valid app-only access token retrieved</h2>");

Response.Write("<p>" + appOnlyAccessToken + "</p>");

Response.Flush();

using (ClientContext clientContext = 

    TokenHelper.GetClientContextWithAccessToken(_hostWeb.ToString(), appOnlyAccessToken))

{

    List list = clientContext.Web.Lists.GetByTitle("Announcements");

    ListItemCreationInformation info = new ListItemCreationInformation();

    Microsoft.SharePoint.Client.ListItem item = list.AddItem(info);

    item["Title"] = "Created from CSOM";

    item["Body"] = "Created from CSOM " + DateTime.Now.ToLongTimeString();

    item.Update();

    clientContext.Load(item);

    clientContext.ExecuteQuery();

}

The result is the same as before… a user that does not have write permission to a list is able to execute the app, which has been granted the AllowAppOnlyPolicy in the permission requests in the app manifest, and the write to list operation now succeeds.


Posted on Tuesday, April 2, 2013 4:37 PM SharePoint , SharePoint 2013 , Apps , JavaScript , CSOM , 2013 , sp15 , security , permissions | Back to top


Comments on this post: SharePoint 2013 Apps - Policies and Permissions

No comments posted yet.
Your comment:
 (will show your gravatar)


Copyright © KunaalKapoor | Powered by: GeeksWithBlogs.net