How to Check User Permission in SharePoint 2013 Using REST API

Introduction

In this article I explore how to check whether the login user has full permission or not using the SharePoint 2013 REST API.

I wanted to avoid using JSOM and do everything with REST. Fortunately, I understand that you must rely on JSOM for certain things. In this case JSOM has the SP.BasePermissions type with methods for combining sets of permissions. This type is defined in SP.js. JSOM also exposes the types of permissions as a basic integer enumeration as SP.PermissionKind. This enumeration is defined in SP.Runtime.js. I still could not figure out how to get the high and low values for the permission. I knew what the values were supposed to be for the EditLisitItems permission. Looking at the permission in debug view I noticed the values were exposed by the typical nonsensical property names $4_1 and $5_1 . Whenever you set the permission with a permission kind the JSOM function will bit-shift the values and re-calculate the high and low values.

Normally we need to perform tasks such as:

  • Does the current user have admin permission on the site
  • and so on

SharePoint provides a method called doesUserHavePermissions to do that. First of all we need to understand how SharePoint defines user roles by assigning permission levels such as Full Control, Contributor, design and so on.

For example, a site admin is assigned by Full Control that is a composite of a few permission items we call the permission kind.

Full Control: Permission levels and permissions

Example:

Assume that we want to check whether the current user is an admin of the site. For that we need to check that the user has the manageWeb permission kind. (Actually we need to check whether other permission kinds are assigned full control as well but if the user has manage web permission then it is more likely the user can perform admin tasks. In my other example I will show how to check the full permission kinds).

 

  1. function getUserWebPermissionREST() {  
  2.   
  3.     //Permission for admin to show or hide the entries on memory board using ShowOnHomePage Field  
  4.     var perm = new SP.BasePermissions();  
  5.     perm.set(SP.PermissionKind.manageWeb);  
  6.     $.ajax({  
  7.         url: _spPageContextInfo.webAbsoluteUrl + "/_api/web/doesuserhavepermissions(@v)?@v={'High':'" + perm.$4_1.toString() + "', 'Low':'" + perm.$5_1.toString() + "'}",  
  8.         type: "GET",  
  9.         headers: { "accept""application/json;odata=verbose" },  
  10.         success: function (data) {  
  11.             var d = data.d.DoesUserHavePermissions;  
  12.   
  13.             if (d === true) {  
  14.                 //Show Check Box if Full Control  
  15.             }  
  16.             else {  
  17.                 //hide Check Box  
  18.             }  
  19.   
  20.         },  
  21.   error: function (err) {  
  22.             alert(JSON.stringify(err));  
  23.         }  
  24.   
  25.     });  
  26.   
  27. }