UnauthorizedAccessException for limited permissions user via REST API

Question

not sure if this is the right place to post dev question so please point me to the right place if its not...

I have a customer that gave a user permission to one specific list.

for example:

https://[tenant].sharepoint.com/sites/qa/permissions/lists/tasks

The user cannot browse to the site:

https://[tenant].sharepoint.com/sites/qa/permissions

But he can get to the list with no problems.

When we try to get the list items using REST api, that user gets "UnauthorizedAccessException" error.

Rest API url we tried:

https://[tenant].sharepoint.com/sites/qa/permissions/_api/web/lists/getbytitle('tasks')

https://[tenant].sharepoint.com/sites/qa/permissions/_api/web/lists/getbytitle('tasks')/items

Users with at least read permissions on the site /sites/qa/permissions have no problems getting to both these API endpoints.

• Is there a different way to make the REST API work for users with permissions to just one list?

• Is there a limitation of the REST API and it does not support that?

Thanks!

(I posted this on technet as well, and will update here if I get an answer there)

Answer 1

You can deactivate the site collection feature Limited-access user permission lockdown mode.

When this feature is activated, users with "Limited access" as permissions have reduced permissions which prevent them from accessing the list item/documents properties. This will cause the Unauthorized Exception error while accessing SharePoint artefacts.

So, go to your Site Settings > Site collection features

And Deactivate the Limited-access user permission lockdown mode feature.

After that, refresh and check.

More details - Enable or disable site collection features