none
jQuery/JavaScript security challenge RRS feed

  • Question

  • I have a tricky problem that for the life of me I can’t get to work. I have a “Request for
    Counsel” list that the Office of Counsel has set up on their Team site. I need
    to enable any authenticated user to submit a New request and possibly see any of their
    own requests in the que, but that should be the only access they would be
    permitted to have on the site. I have written some JavaScript code to show and
    hide fields base on a user’s selections on the new form. This code works
    perfectly for those with the Team site permissions but does not work for those
    with only permissions to add to the list. It does not seem to "post back" on changes to the dropdown. I have tried tweaking the permissions to the form, but all seem to work only when rights are granted to the rest of the site. What makes this even more challenging is that any fixes are hard to test
    without having a “guinea pig” with only basic rights to test for me. Can anyone advise on the best way to accomplish my objective? Thanks!

    Monday, September 9, 2019 6:05 PM

All replies

  • Hi ,

    If your user could access the page, HTML DOM Operation won’t be issue, if you solution doesn’t work as permission issue, you can’t elevate privileges by client side API(JSOM/REST API) according to my knowledge.

    You could create a farm solution with custom webpart for this requirement, so you could elevate privileges in the webpart solution.

    SPSecurity.RunWithElevatedPrivileges(delegate()
    {
        //New SPSite object.
         using (SPSite site = new SPSite(web.Site.ID))
         {
        //Do things by assuming the permission of the "system account".
         }
    });


    Best Regards,

    Lee


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    SharePoint Server 2019 has been released, you can click here to download it.
    Click here to learn new features. Visit the dedicated forum to share, explore and talk to experts about SharePoint Server 2019.

    Tuesday, September 10, 2019 2:22 AM
  • Greetings Lee,

    Thank you for your response, I truly appreciate it. To be honest, I was waiting, hoping for a more simple solution from "the gallery". As it seems that this is the only candidate solution, I guess that I need to understand it better. So, are you saying that the code above should be a "wrapper" for the JavaScript in the Script Editor web part. Or are you saying that I should be creating an entirely new custom web part with my list in it and wrapping the entire web part. And how would I go about doing that? (wrapping the entire object) Maybe you know a link that demonstrates this?


    Robert Fritzen

    Friday, September 13, 2019 12:26 PM
  • Hi ,

    Below thread shares a demo for SharePoint 2010 webpart(it’s similar as SharePoint 2013).

    http://www.softwaretraininginchennai.com/blog/crud-operation-with-sharepoint-list-in-visual-web-part.html

    Wrap RunWithElevatedPrivileges in the code where you need it, for example:

    protected void btnUpdate_Click(object sender, EventArgs e)
            {
                SPSecurity.RunWithElevatedPrivileges(delegate ()
                {
                    //New SPSite object.
                    using (SPSite site = new SPSite(SPContext.Current.Site.Url)) // Site Collection
                    {
                        using (SPWeb web = site.OpenWeb()) // Site
                        {
                            SPList list = web.Lists[“EmployeeList”]; // List
                            SPListItem oListItem = list.Items.GetItemById(Convert.ToInt32(hfId.Value));
                            oListItem[“Title”] = txtEmployeeName.Text;
                            oListItem[“EmployeeName”] = txtEmployeeName.Text;
                            oListItem[“Age”] = txtAge.Text;
                            oListItem.Update();
                            BindGrid();
                            lblresults.Text = “Updated Successfully”;
                        }
                    }
                });
                
            }

    Attach another thread for your reference.

    https://www.c-sharpcorner.com/UploadFile/82b15a/visual-web-part-in-sharepoint-2013-with-external-js-and-css/

    Best Regards,

    Lee


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    SharePoint Server 2019 has been released, you can click here to download it.
    Click here to learn new features. Visit the dedicated forum to share, explore and talk to experts about SharePoint Server 2019.

    Monday, September 16, 2019 7:30 AM
  • Greetings Lee,

    Thank you for your response. It seems that your response and examples assume I have access to Visual Studio to implement my solutions. I do not. All I have is SP's "Edit Page" and SP Designer. It also seems that your solution only works server side. I believe my problem is all client side, the jQuery responds perfectly to site users with higher level permissions, it is only the list access only users that it does not work for. All "problem activity" takes place between the page request and the page submit. All authenticated users have "Contribute" level access to the list. I have set item level permissions (in Advanced settings) for the list. So theoretically, contribute level users should only have access to their own records. Should I wrap the JavaScript code with your RunWithElevatedPrivileges? What do you propose for my scenario?


    Robert Fritzen

    Monday, September 16, 2019 2:20 PM
  • Hi,

    Client side(JavaScript or Rest api) can't RunWithElevatedPrivileges.

    For permission issue, you have to use other solution(farm solution as above or SharePoint add-in). 

    https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/app-only-elevated-privileges-sharepoint-add-in

    Best Regards,

    Lee


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    SharePoint Server 2019 has been released, you can click here to download it.
    Click here to learn new features. Visit the dedicated forum to share, explore and talk to experts about SharePoint Server 2019.

    Wednesday, September 18, 2019 9:41 AM