REST API Prompting for user credentials
https://sharepoint.stackexchange.com/questions/276317
-
08-02-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianDomanda
I am attempting to traverse up the site hierarchy tree using the Rest API in SharePoint with SPFx in order to create "legacy-style" breadcrumbs. I am basing my component on the code found here.
If the user does not have access to a particular site, I want to simply skip that site and not include it in that user's breadcrumb. The problem is, in an on-prem environment using NTLM-integrated security, the REST API automatically triggers a login dialog prompt when the currently-logged-in user does not have access. Since the current user does not have access, if they input their credentials, it keeps re-prompting them. The only way for the script to proceed, is if the user clicks "cancel", then we can handle the "Access Denied" case in code and continue building the breadcrumb.
How can we just receive an Access Denied message and avoid having the REST call trigger a credential popup when the user does not have permission?
Soluzione
If your SharePoint farm is using integrated security with your local domain, there is no way to directly stop the user from being prompted for credentials when you try to access a resource they do not have access to.
Instead, you would need to check that the user has access to the site first, and if not, then stop traversing up the hierarchy. Ideally, you would be able to call the EffectiveBasePermissions API, but in an integrated scenario where the user has no access, this also causes the credential prompt.
The best workaround is to use the Search API, to search for the site you are going to try to get through the web API. Since search is "security trimmed", instead of throwing an error or prompting for credentials, it will simply not include the site in the results. Use the following REST Query to search for a specific site:
/_api/search/query?queryText=%27(ContentClass=STS_Web%20OR%20ContentClass=STS_Site)%20Path=InsertFullUrlOfTheSiteYouAreCheckingHere%27
If this returns one result, then you can safely execute the /_api/web REST call, if this query returns nothing, then stop.
