kawa/SharepointToolbox-Web
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
57f5239cfc2ef0e6bb2faac93ac81f86844d0f33
SharepointToolbox-Web/Components/Pages/Permissions.razor
T
kawa 57f5239cfc Wire auto-elevate ownership across all SharePoint operations 
The "Auto-elevate ownership when permission scan is denied" setting was
dead code: the toggle was persisted but never read, the audit flow never
passed its onAccessDenied callback, and EnrichException wrapped every CSOM
error (including ServerUnauthorizedAccessException) into a generic
InvalidOperationException so the access-denied catch could never match.

Centralize elevation instead of per-call-site callbacks:

- Throw typed SharePointAccessDeniedException from EnrichException on
  access-denied, preserving the failing site URL and enriched diagnostic.
- Add scoped IElevationCoordinator that catches it, and when AutoTakeOwnership
  is enabled takes site-collection admin via the tenant admin endpoint and
  retries the operation once. Per-site dedupe prevents loops; admin-host
  denials are not treated as ownership issues. Retry is safe because each
  wrapped operation closure re-issues its own CSOM loads.
- Wrap all site-scoped operations (Storage, Permissions, Duplicates, Search,
  VersionCleanup, FolderStructure, BulkMembers, FileTransfer, Templates) and
  the UserAccessAudit per-site scan in the coordinator.
- Drop the unused onAccessDenied parameter from IUserAccessAuditService.

Elevation still requires SharePoint tenant admin rights on the signed-in
account; the coordinator surfaces a clear message when that is missing.

Also keeps the prior StorageService change that avoids admin-gated
folder.StorageMetrics (403 for delegated non-admin tokens).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-02 14:16:12 +02:00

140 lines
5.3 KiB
Plaintext
Raw Blame History

@page "/permissions"
@attribute [Authorize]
@inject IUserSessionService Session
@inject ISessionManager SessionMgr
@inject IElevationCoordinator Elevation
@inject IPermissionsService PermSvc
@inject CsvExportService CsvExport
@inject HtmlExportService HtmlExport
@inject WebExportService WebExport
@rendermode InteractiveServer
<h1 class="page-title">Permissions Audit</h1>
@if (!Session.HasProfile) { <NoProfilePrompt /> return; }
<div class="card">
<div class="card-title">Scan Options</div>
<div class="form-row">
<div class="form-group">
<label class="form-label">Site URL</label>
<input class="form-input" @bind="_siteUrl" placeholder="@Session.CurrentProfile!.TenantUrl" />
</div>
</div>
<div class="form-row">
<div class="form-group" style="flex:0 0 auto">
<label class="form-label">Folder Depth</label>
<input class="form-input" type="number" @bind="_folderDepth" min="0" max="999" style="width:80px" />
</div>
<div class="form-group" style="display:flex;align-items:center;gap:16px;padding-top:20px">
<label><input type="checkbox" @bind="_includeInherited" /> Include inherited</label>
<label><input type="checkbox" @bind="_scanFolders" /> Scan folders</label>
<label><input type="checkbox" @bind="_includeSubsites" /> Include subsites</label>
</div>
</div>
<div class="flex-row mt-8">
<button class="btn btn-primary" @onclick="RunScan" disabled="@_running">
@(_running ? "Scanning…" : "Scan Site")
</button>
@if (_running)
{
<button class="btn btn-secondary" @onclick="Cancel">Cancel</button>
}
</div>
<ProgressPanel IsRunning="_running" StatusMessage="_status" Current="_current" Total="_total" />
</div>
@if (!string.IsNullOrEmpty(_error))
{
<div class="alert alert-error">@_error</div>
}
@if (_results.Count > 0)
{
<div class="card">
<div class="flex-row">
<div class="card-title">Results <span class="count-badge">@_results.Count</span></div>
<div class="spacer"></div>
<button class="btn btn-secondary btn-sm" @onclick="ExportCsv">Export CSV</button>
<button class="btn btn-secondary btn-sm" @onclick="ExportHtml">Export HTML</button>
</div>
<div class="data-table-wrap">
<table class="data-table">
<thead>
<tr>
<th>Type</th>
<th>Title</th>
<th>Users</th>
<th>Permission</th>
<th>Granted Through</th>
</tr>
</thead>
<tbody>
@foreach (var r in _results.Take(500))
{
<tr>
<td>@r.ObjectType</td>
<td title="@r.Url">@r.Title</td>
<td>@r.Users</td>
<td>@r.PermissionLevels</td>
<td>@r.GrantedThrough</td>
</tr>
}
</tbody>
</table>
</div>
@if (_results.Count > 500)
{
<div class="text-muted mt-8">Showing first 500 of @_results.Count rows. Export for full results.</div>
}
</div>
}
@code {
private string _siteUrl = string.Empty;
private bool _includeInherited, _includeSubsites;
private bool _scanFolders = true;
private int _folderDepth = 1;
private bool _running;
private string _status = string.Empty;
private string _error = string.Empty;
private int _current, _total;
private List<PermissionEntry> _results = new();
private CancellationTokenSource? _cts;
private async Task RunScan()
{
_error = string.Empty; _results.Clear(); _running = true;
_cts = new CancellationTokenSource();
var siteUrl = string.IsNullOrWhiteSpace(_siteUrl) ? Session.CurrentProfile!.TenantUrl : _siteUrl.Trim();
var progress = new Progress<OperationProgress>(p => { _status = p.Message; _current = p.Current; _total = p.Total; InvokeAsync(StateHasChanged); });
try
{
var opts = new ScanOptions(_includeInherited, _scanFolders, _folderDepth, _includeSubsites);
_results = (await Elevation.RunAsync(async c =>
{
var ctx = await SessionMgr.GetOrCreateContextAsync(siteUrl, Session.CurrentProfile!, c);
return await PermSvc.ScanSiteAsync(ctx, opts, progress, c);
}, _cts.Token)).ToList();
_status = $"Scan complete: {_results.Count} entries found.";
}
catch (OperationCanceledException) { _status = "Cancelled."; }
catch (Exception ex) { _error = ex.Message; }
finally { _running = false; await InvokeAsync(StateHasChanged); }
}
private void Cancel() => _cts?.Cancel();
private async Task ExportCsv()
{
var csv = CsvExport.BuildCsv(_results);
await WebExport.DownloadCsvAsync(csv, $"permissions_{DateTime.Now:yyyyMMdd_HHmmss}.csv");
}
private async Task ExportHtml()
{
var html = HtmlExport.BuildHtml(_results);
await WebExport.DownloadHtmlAsync(html, $"permissions_{DateTime.Now:yyyyMMdd_HHmmss}.html");
}
}
Reference in New Issue View Git Blame Copy Permalink