This tip demonstrates user permissions in SharePoint-hosted apps in SharePoint 2013 with attention to a multiple user scenario. It also tries to populate selective items from a SharePoint site to a SharePoint-hosted app.
While I was teaching SharePoint 2013, I noticed that participants were always intrigued by how apps would react to a multiple-user scenario and what the user permissions would be like. So I have tried to put together this scenario in this document with three dummy users. The names used in this article are imaginary and resemblance to any personalities is purely coincidental.
Using the Code
The Dummy Users
I have a team-site called Office Services whose primary administrator is a user called administrator. There are two dummy users that we would be referring to in this tip:
- Anne Wallace
- Alan Steiner
The SharePoint Lists Permissions
The names of the lists might sound little strange but I have used those names in order to keep the permissions story simple. The list name basically shows the user associated. So I have created two custom lists in my team site:
- Anne List
This list will display currencies. The administrator and the group called Anne have permissions on this list. For this, a new group called Anne was created and only Anne Wallace was added to this particular group. No permissions are granted to Alan for this list.
- Alan List
This list will display countries. The administrator and a group called Alan have permissions on this list. For this, a new group called Alan was created and only Alan Steiner was added to this particular group. No permissions are granted to Anne for this list.
SharePoint-hosted App Magic
Now let’s take a look at how an app would treat this if we login as some other user (other than administrator who is the super user). So we build a SharePoint hosted app – I have called it
SharePointApp_MultiUser. You will see this name on the screen where you have all the apps listed. So let’s talk about what our app does and how we have tried to achieve this. The app simply displays the titles of elements in both these SharePoint lists in the app itself. So basically what we are trying to do is retrieve the data from these SharePoint lists and display in our app. We will make REST call for this and since it is a SharePoint-hosted app, everything will be client side scripting. No server side code can be used here. The default.aspx page has been kept simple with an area to display Anne List and Alan list – as shown in the code snippet below:
<asp:Content ContentPlaceHolderID="PlaceHolderMain" runat="server">
Countries from Alan's List
Currencies from Anne's List
Currencies for my lists. The implementation of both the objects is exactly the same, so I’ll explain one of those.
Countries object has two properties:
Element - This is the HTML element on the page where our data will be displayed. It is initialized in the
url – This is the URL which specifies the data that you are getting from the SharePoint site. So in our case, we want to get the titles of Alan List. Hence we specify the name of the list in the URL and the title also in the query string:
"Countries.url = _spPageContextInfo.webAbsoluteUrl +
It has four methods:
Init – Initializes the values of element and URL
Load – Specifies the call to the SharePoint site. This is where the
GET method and the headers are specified. It also mentions the success and failure attributes
onSuccess – If the method is successful, the data retrieved is displayed in an HTML table
onError – If the method fails, it displays the message – You do not have permissions to view this list
The next most important thing that we do before deploying our app is to set the required permissions in the appManifest.xml.
AppManifest is a very important entity with respect to the app model in SharePoint. This is the place where all the information about the app resides. So whenever the app tries to access the parent site or any other resource, it has to be specified in the appManifest.xml. If the required permissions are not specified in the
appManifest file, your app will not behave in the desired manner and throw an exception. This is actually quite similar to the
AppManifest file story in Windows 8 apps or Windows Phone 8 apps for that matter; if you have done any kind of app programming there.
<AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="Write" />
So we are done with our coding and now let’s deploy and test our code. The app is successfully deployed using Visual Studio.
- Open Internet Explorer as a different user. Enter the credentials for administrator who is the primary owner of the team site. Enter the URL of the team site Office Services and launch the Multi user app. You get to see both the lists on the screen.
- Open Internet Explorer as a different user. Enter the credentials for Alan Steiner who has permissions on Alan’s list but does not have any permission on Anne’s list. Enter the URL of the team site Office Services and launch the Multi user app. You get to see only the countries which are coming from Alan’s list. You also see an error message which states – “You do not have permissions to view this list”. This second error message is for Anne’s list.
- Open Internet Explorer as a different user. Enter the credentials for Anne Wallace who has permissions on Anne list but has no permission on Alan list. Enter the URL of the team site Office Services and launch the multi user app. You get to see only the currencies which are coming from Anne list. You also see an error message which states – “You do not have permissions to view this list”. This error message is for Alan list.
- 6th May, 2013: Initial version