SharePoint网站、列表和列表项都属于SecurableObject类型。默认情况下,一个安全对象继承父级的权限。对一个对象设置自定义权限,你需要打破它从父级的继承,通过增删role assignments来自定义权限。
本篇同样会以代码示例来说明如何在列表上设置自定义权限,然后再更改一个组的权限。该示例使用REST服务来:
>获取目标组的ID。该示例通过目标组的ID来获取当前列表上的组所具有的角色绑定,并向列表添加新的角色。
>获取为组定义的新的权限的角色定义的ID,该ID用来向列表添加新的角色。该示例使用已存在的角色定义来定义新的角色,当然你也可以选择创建一个新的角色定义。
>使用BreakRoleInheritance方法打破列表上的权限继承。该示例打破了列表的权限继承并保留当前的权限设置。(在打破权限继承的时候,也可以选择不保留当前的设置而只把当前用户添加到管理权限级别。)
>通过发送DELETE方法请求到role assignment端点来移除列表上的组当前的role assignment。(如果你在打破权限继承的时候没有保留现有设置,可以忽略此步。)
>使用AddRoleAssignment方法向组添加一个role assignment到目标列表,该操作会将组绑定到一个角色定义并将该角色添加到列表上。
前置条件
>SharePoint开发环境
>带有Office Developer Tools的Visual Studio 2013或更高版本
此外还需要设置Add-in在网站范围内的完全控制权限,只有具有足够权限来更改列表权限的用户(如网站所有者)可以执行这个add-in。
示例:使用REST接口在列表上自定义权限
下面的示例展示了一个SharePoint承载的Add-in中的App.js文件的内容。第一个示例使用JavaScript跨域库来构建和发送HTTP请求,第二个示例使用jQuery AJAX请求。在你执行代码之前,需要把占位符的值替换成真实的值。
示例一:跨域库请求
- 'use strict';
- // Change placeholder values before you run this code.
- var listTitle = 'List 1';
- var groupName = 'Group A';
- var targetRoleDefinitionName = 'Contribute';
- var appweburl;
- var hostweburl;
- var executor;
- var groupId;
- var targetRoleDefinitionId;
- $(document).ready( function() {
- //Get the URI decoded URLs.
- hostweburl = decodeURIComponent(getQueryStringParameter("SPHostUrl"));
- appweburl = decodeURIComponent(getQueryStringParameter("SPAppWebUrl"));
- // Load the cross-domain library file and continue to the custom code.
- var scriptbase = hostweburl + "/_layouts/15/";
- $.getScript(scriptbase + "SP.RequestExecutor.js", getTargetGroupId);
- });
- // Get the ID of the target group.
- function getTargetGroupId() {
- executor = new SP.RequestExecutor(appweburl);
- var endpointUri = appweburl + "/_api/SP.AppContextSite(@target)/web/sitegroups/getbyname('";
- endpointUri += groupName + "')/id" + "?@target='" + hostweburl + "'";
- executor.executeAsync({
- url: endpointUri,
- method: 'GET',
- headers: { 'accept':'application/json;odata=verbose' },
- success: function(responseData) {
- var jsonObject = JSON.parse(responseData.body);
- groupId = jsonObject.d.Id;
- getTargetRoleDefinitionId();
- },
- error: errorHandler
- });
- }
- // Get the ID of the role definition that defines the permissions
- // you want to assign to the group.
- function getTargetRoleDefinitionId() {
- var endpointUri = appweburl + "/_api/SP.AppContextSite(@target)/web/roledefinitions/getbyname('";
- endpointUri += targetRoleDefinitionName + "')/id" + "?@target='" + hostweburl + "'";
- executor.executeAsync({
- url: endpointUri,
- method: 'GET',
- headers: { 'accept':'application/json;odata=verbose' },
- success: function(responseData) {
- var jsonObject = JSON.parse(responseData.body)
- targetRoleDefinitionId = jsonObject.d.Id;
- breakRoleInheritanceOfList();
- },
- error: errorHandler
- });
- }
- // Break role inheritance on the list.
- function breakRoleInheritanceOfList() {
- var endpointUri = appweburl + "/_api/SP.AppContextSite(@target)/web/lists/getbytitle('";
- endpointUri += listTitle + "')/breakroleinheritance(true)?@target='" + hostweburl + "'";
- executor.executeAsync({
- url: endpointUri,
- method: 'POST',
- headers: { 'X-RequestDigest':$('#__REQUESTDIGEST').val() },
- success: deleteCurrentRoleForGroup,
- error: errorHandler
- });
- }
- // Remove the current role assignment for the group on the list.
- function deleteCurrentRoleForGroup() {
- var endpointUri = appweburl + "/_api/SP.AppContextSite(@target)/web/lists/getbytitle('";
- endpointUri += listTitle + "')/roleassignments/getbyprincipalid('" + groupId + "')?@target='" + hostweburl + "'";
- executor.executeAsync({
- url: endpointUri,
- method: 'POST',
- headers: {
- 'X-RequestDigest':$('#__REQUESTDIGEST').val(),
- 'X-HTTP-Method':'DELETE'
- },
- success: setNewPermissionsForGroup,
- error: errorHandler
- });
- }
- // Add the new role assignment for the group on the list.
- function setNewPermissionsForGroup() {
- var endpointUri = appweburl + "/_api/SP.AppContextSite(@target)/web/lists/getbytitle('";
- endpointUri += listTitle + "')/roleassignments/addroleassignment(principalid=" + groupId;
- endpointUri += ",roledefid=" + targetRoleDefinitionId + ")?@target='" + hostweburl + "'";
- executor.executeAsync({
- url: endpointUri,
- method: 'POST',
- headers: { 'X-RequestDigest':$('#__REQUESTDIGEST').val() },
- success: successHandler,
- error: errorHandler
- });
- }
- // Get parameters from the query string.
- // For production purposes you may want to use a library to handle the query string.
- function getQueryStringParameter(paramToRetrieve) {
- var params = document.URL.split("?")[1].split("&");
- for (var i = 0; i < params.length; i = i + 1) {
- var singleParam = params[i].split("=");
- if (singleParam[0] == paramToRetrieve) return singleParam[1];
- }
- }
- function successHandler() {
- alert('Request succeeded.');
- }
- function errorHandler(xhr, ajaxOptions, thrownError) {
- alert('Request failed: ' + xhr.status + '\n' + thrownError + '\n' + xhr.responseText);
- }
- // Change placeholder values before you run this code.
- var siteUrl = 'http://server/site';
- var listTitle = 'List 1';
- var groupName = 'Group A';
- var targetRoleDefinitionName = 'Contribute';
- var groupId;
- var targetRoleDefinitionId;
- $(document).ready( function() {
- getTargetGroupId();
- });
- // Get the ID of the target group.
- function getTargetGroupId() {
- $.ajax({
- url: siteUrl + '/_api/web/sitegroups/getbyname(\'' + groupName + '\')/id',
- type: 'GET',
- headers: { 'accept':'application/json;odata=verbose' },
- success: function(responseData) {
- groupId = responseData.d.Id;
- getTargetRoleDefinitionId();
- },
- error: errorHandler
- });
- }
- // Get the ID of the role definition that defines the permissions
- // you want to assign to the group.
- function getTargetRoleDefinitionId() {
- $.ajax({
- url: siteUrl + '/_api/web/roledefinitions/getbyname(\''
- + targetRoleDefinitionName + '\')/id',
- type: 'GET',
- headers: { 'accept':'application/json;odata=verbose' },
- success: function(responseData) {
- targetRoleDefinitionId = responseData.d.Id;
- breakRoleInheritanceOfList();
- },
- error: errorHandler
- });
- }
- // Break role inheritance on the list.
- function breakRoleInheritanceOfList() {
- $.ajax({
- url: siteUrl + '/_api/web/lists/getbytitle(\'' + listTitle
- + '\')/breakroleinheritance(true)',
- type: 'POST',
- headers: { 'X-RequestDigest':$('#__REQUESTDIGEST').val() },
- success: deleteCurrentRoleForGroup,
- error: errorHandler
- });
- }
- // Remove the current role assignment for the group on the list.
- function deleteCurrentRoleForGroup() {
- $.ajax({
- url: siteUrl + '/_api/web/lists/getbytitle(\'' + listTitle
- + '\')/roleassignments/getbyprincipalid(' + groupId + ')',
- type: 'POST',
- headers: {
- 'X-RequestDigest':$('#__REQUESTDIGEST').val(),
- 'X-HTTP-Method':'DELETE'
- },
- success: setNewPermissionsForGroup,
- error: errorHandler
- });
- }
- // Add the new role assignment for the group on the list.
- function setNewPermissionsForGroup() {
- $.ajax({
- url: siteUrl + '/_api/web/lists/getbytitle(\'' + listTitle
- + '\')/roleassignments/addroleassignment(principalid='
- + groupId + ',roledefid=' + targetRoleDefinitionId + ')',
- type: 'POST',
- headers: { 'X-RequestDigest':$('#__REQUESTDIGEST').val() },
- success: successHandler,
- error: errorHandler
- });
- }
- function successHandler() {
- alert('Request succeeded.');
- }
- function errorHandler(xhr, ajaxOptions, thrownError) {
- alert('Request failed: ' + xhr.status + '\n' + thrownError + '\n' + xhr.responseText);
- }