Microsoft Graph - Why is root site read access nee

2020-07-18 10:13发布

问题:

I'm trying to access the items of a list that is a part of a nested subsite, like this:

https://{mytenant}.sharepoint.com/
    vendorSiteCollection/
        vendorAppSite/
            vendorList

My test user has only Read permission on the vendorAppSite Subsite. I have removed read permissions from all other sites, including the root site collection at https://{mytenant}.sharepoint.com.

If I navigate to here in a browser:

https://{mytenant}.sharepoint.com/sites/{vendorSiteCollection}/{vendorAppSite}/Lists/{vendorList}/AllItems.aspx

Then I see the list, just as expected.

However, when I make this request in the Graph Explorer:

https://graph.microsoft.com/v1.0/sites/root:/sites/{vendorSiteCollection}/{vendorAppSite}:/lists/{vendorList}?$expand=items($expand=fields)

I get a 403 forbidden response:

{
    "error": {
        "code": "accessDenied",
        "message": "The caller does not have permission to perform the action.",
        "innerError": {
            "request-id": "15e2087d-8ae5-46e3-abee-4ab165629dfb",
            "date": "2018-04-05T12:08:16"
        }
    }
}

I would have expected to be able to read the list items via the API just like I can see the list items in the SharePoint Online UI.

How can I use the Microsoft Graph API to read the items when the permission levels are set like this?

Side note: When the test user has Read permission on the root site collection at https://{mytenant}.sharepoint.com, the API works as expected. But this workaround doesn't work for us since we don't want our users to have read access to the root site collection.

回答1:

This issue seems to be fixed in the MS Graph.