I'm using strapi.
User registered with local api getting all data same as super admin.
How to implement or which plugin setting restricts, non-admin user to access data that he has added. (Similar to author-admin role)
This depends. Do you mean access their own data via the default Strapi backend? if yes, you could give them the Author role. Authors can always onle edit their own content.
If you mean access via REST API, you should be able to accomplish this with a policy, where you can restrict specific access based on your code entirely.
We have a single-page Javascript app that makes calls to Microsoft Graph API using delegated permissions.
One of the things it does is get a list of users via the /users endpoint.
Now when the request URL was https://graph.microsoft.com/v1.0/users?$select=id,displayName,givenName,surname,mail,userPrincipalName,
everything worked fine.
But then we changed it to include a filter.
Specifically we only want Guest users.
So we changed the request URL to https://graph.microsoft.com/v1.0/users?$filter=userType eq 'Guest'&$select=id,displayName,givenName,surname,mail,userPrincipalName,userType.
Now some of the users get a 403 Forbidden when we try to make the query.
What is puzzling is that they can get the full list of users, but are unable to get a subset of the users.
This user is themselves a Guest user, and has the Guest Inviter directory role.
This gives them the ability to read all users.
I have a Global Admin account which is able to use the second request as well (it would be pretty stunning if it could not).
The app itself has the necessary scopes since it is able to read the users, it just depends on the user and their permissions in AAD.
My theory is that the user does not have permission to access the userType property, and this causes the 403.
It is probably part of the "full profile".
Philippe confirmed this by stating you cannot access this property through the User.ReadBasic.All scope.
If we look at the Guest Inviter role's permissions: https://learn.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles#guest-inviter.
We can see that they have microsoft.aad.directory/users/basic/read, a Global admin on the other hand has microsoft.aad.directory/users/allProperties/allTasks.
My question is, what do I need to do to enable this query for the user?
I would like to avoid giving them Global Admin in this case.
The application's token has the following scopes:
Directory.AccessAsUser.All
User.Read
We used a less privileged scope before,
but we needed to add features that required higher privileges.
The scope we have is the "most privileged" scope for listing users: https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_list.
The application is also registered as a Native app, if that makes a difference.
Signing out and signing back in (to refresh the token) also does not help.
This problem occurs with a fresh sign-in with the same scopes in the token.
The only difference is the role of the user in AAD.
Request id: 6079bcb2-6f90-44cc-8a57-83a8e1676333, timestamp Thu, 15 Nov 2018 06:49:59 GMT.
Unfortunately your theory is actually correct about guest users not being able to filter on userType. I have just spoken to the engineering team behind this logic on Microsoft Graph. They are looking into a fix here so that it adheres to our Roles based access control (RBAC) for this property and not the pre RBAC logic that it is doing right now. There is no time frame currently on this, they are planning it into their sprint. I'll see if I can get an update in the next few days.
You are most likely experiencing this if your application only has delegated permissions for https://graph.microsoft.com/User.ReadBasic.All. With only User.ReadBasic.All, your app doesn't have permission to read the userType property, which also means it doesn't have permission to filter on that property.
You'll probably find any user in the tenant will have the same experience, including a member or a global admin, not just your guest user. If your app requests for User.Read.All instead, the filter should work as expected for your guest user in the Guest Inviter role.
What do you have set under Azure Active Directory -> User Settings -> External collaboration settings -> Guest user permissions are limited?
If the guest permissions are limited, guest users are unable to enumerate the directory users & groups.
not sure if this is the right place to post dev question so please point me to the right place if its not...
I have a customer that gave a user permission to one specific list.
for example:
https://[tenant].sharepoint.com/sites/qa/permissions/lists/tasks
The user cannot browse to the site:
https://[tenant].sharepoint.com/sites/qa/permissions
But he can get to the list with no problems.
When we try to get the list items using REST api, that user gets "UnauthorizedAccessException" error.
Rest API url we tried:
https://[tenant].sharepoint.com/sites/qa/permissions/_api/web/lists/getbytitle('tasks')
https://[tenant].sharepoint.com/sites/qa/permissions/_api/web/lists/getbytitle('tasks')/items
Users with at least read permissions on the site /sites/qa/permissions have no problems getting to both these API endpoints.
Is there a different way to make the REST API work for users with permissions to just one list?
Is there a limitation of the REST API and it does not support that?
Thanks!
(I posted this on technet as well, and will update here if I get an answer there)
You can deactivate the site collection feature Limited-access user permission lockdown mode.
When this feature is activated, users with "Limited access" as permissions have reduced permissions which prevent them from accessing the list item/documents properties. This will cause the Unauthorized Exception error while accessing SharePoint artefacts.
So, go to your Site Settings > Site collection features
And Deactivate the Limited-access user permission lockdown mode feature.
After that, refresh and check.
More details - Enable or disable site collection features
I always get
Call restricted to workspace admins when using remove user api. Is there any way to work around and remove user from api.
Also when I add someone using addUser api they are added as Guest is there any way to make them member?
There is no way to work around having to be an admin to POST to /workspaces/workspace-id/removeUser. This is by design as it could cause security issues if everyone was capable of deleting users in a workspace.
When adding a user with the API, they will be added as a member if the new user's email address matches the domain of the workspace. If it doesn't match, they will be added as a guest.
Yesterday I could find a user via the API:
https://api.instagram.com/v1/users/search/?q=...&access_token=...
But now everything returns Meta-code-200 and empty data.
What happened?
If your app is in sandbox mode then you can get information about only sandbox invited users.
If you app is in live mode then make sure public_content permission is Approved.
Please also check scope you are using. Make sure in scope you are sending public_content permission.