kawa/SharepointToolbox-Web
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Wire auto-elevate ownership across all SharePoint operations

Browse Source 
The "Auto-elevate ownership when permission scan is denied" setting was
dead code: the toggle was persisted but never read, the audit flow never
passed its onAccessDenied callback, and EnrichException wrapped every CSOM
error (including ServerUnauthorizedAccessException) into a generic
InvalidOperationException so the access-denied catch could never match.

Centralize elevation instead of per-call-site callbacks:

- Throw typed SharePointAccessDeniedException from EnrichException on
  access-denied, preserving the failing site URL and enriched diagnostic.
- Add scoped IElevationCoordinator that catches it, and when AutoTakeOwnership
  is enabled takes site-collection admin via the tenant admin endpoint and
  retries the operation once. Per-site dedupe prevents loops; admin-host
  denials are not treated as ownership issues. Retry is safe because each
  wrapped operation closure re-issues its own CSOM loads.
- Wrap all site-scoped operations (Storage, Permissions, Duplicates, Search,
  VersionCleanup, FolderStructure, BulkMembers, FileTransfer, Templates) and
  the UserAccessAudit per-site scan in the coordinator.
- Drop the unused onAccessDenied parameter from IUserAccessAuditService.

Elevation still requires SharePoint tenant admin rights on the signed-in
account; the coordinator surfaces a clear message when that is missing.

Also keeps the prior StorageService change that avoids admin-gated
folder.StorageMetrics (403 for delegated non-admin tokens).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Sébastien QUEROL
2026-06-02 14:16:12 +02:00
parent b7061867f1
commit 57f5239cfc
17 changed files with 306 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Components/Pages/Templates.razor
+6 -2
View File
@@ -3,6 +3,7 @@
@inject IUserSessionService Session
@inject IUserContextAccessor UserContext
@inject ISessionManager SessionMgr
@inject IElevationCoordinator Elevation
@inject ITemplateService TemplateSvc
@inject SharepointToolbox.Web.Infrastructure.Persistence.TemplateRepository TemplateRepo
@rendermode InteractiveServer
@@ -108,9 +109,12 @@
var progress = new Progress<OperationProgress>(p => { _status = p.Message; InvokeAsync(StateHasChanged); });
try
{
var ctx = await SessionMgr.GetOrCreateContextAsync(siteUrl, Session.CurrentProfile!, _cts.Token);
var opts = new SiteTemplateOptions { CaptureLibraries = _capLibraries, CaptureFolders = _capFolders, CapturePermissionGroups = _capGroups };
var template = await TemplateSvc.CaptureTemplateAsync(ctx, opts, progress, _cts.Token);
var template = await Elevation.RunAsync(async c =>
{
var ctx = await SessionMgr.GetOrCreateContextAsync(siteUrl, Session.CurrentProfile!, c);
return await TemplateSvc.CaptureTemplateAsync(ctx, opts, progress, c);
}, _cts.Token);
template.Name = string.IsNullOrWhiteSpace(_captureName) ? $"Template-{DateTime.Now:yyyyMMdd}" : _captureName;
await TemplateRepo.SaveAsync(template);
_templates = (await TemplateRepo.GetAllAsync()).ToList();