SharePoint 2013 - REST API about Security

1. 获取当前用户信息(current user)：

var currentUserInfo = "{0}/_api/Web/CurrentUser"; // {0} -> web Absolute Url

返回的数据：

2. 获取站点权限信息(site permission)：

var sitePermissionsInfo = "{0}/_api/Web/roleassignments?$expand=RoleDefinitionBindings,Member&$select=Member/Title,Member/Id,Member/IsHiddenInUI,Member/PrincipalType,RoleDefinitionBindings/Name,RoleDefinitionBindings/Order,Member/Users,Member/Groups&$filter=Member/IsHiddenInUI eq false&$orderby=Member/Title"; // {0} -> web Absolute Url

返回的数据与在站点 Site Permissions 页面看到的信息一样，此处有以下两点信息需要注意：

(1) user类型的 PrinciplalType 值为1，user group类型的 PrincipalType 值为8，domain group类型的 PrincipalType值为4；

(2) RoleDefinitionBindings中的 Order属性标识了该权限在站点集的 Permission Levels 中的位置顺序，Order值 从1 开始，详情可参考此页；默认情况下，站点自有权限级别Full Control 的 Order 为1；自定义的权限级别Order值都非常大，可通过 /_api/web/RoleDefinitions 来查看站点的权限级别，示例数据可参考下图；

3. 获取站点所有用户(site users):

var siteUsersInfo = "{0}/_api/Web/siteusers?$filter=IsHiddenInUI eq false and PrincipalType eq 1&$orderby=Title"; // {0} -> web Absolute Url

返回的数据与 /_layouts/15/people.aspx?MembershipGroupId=0 中的数据类似，此时不仅可以获取用户的 Title, Email, LoginName 及 Id，还可以通过 IsSiteAdmin 来得知该用户是否是 site collection administrator，也可以通过 IsHiddenInUI 来得知该用户是否是隐藏用户，而且，此处需要注意的是，返回的数据不仅包含当前站点的所有用户，还包括子站点的用户，甚至包含域用户(比如：sharepoint\system, NT AUTHORITY\LOCAL SERVICE等)：

4. 获取站点所有用户组(site groups):

var siteGroupsInfo = "{0}/_api/web/roleassignments/groups?$filter=IsHiddenInUI eq false and PrincipalType eq 8&$orderby=Title desc"; // {0} -> web Absolute Url

返回的数据如下，注意，此处返回的user groups指的是当前站点(web)下的用户组，并不包含子站点(sub site)的用户组；

5. 获取 列表/文档库 权限信息(list or library permission)：

var listPermissionURI = "{0}/_api/Web/Lists(guid'{1}')?$expand=RoleAssignments/Member,RoleAssignments/RoleDefinitionBindings&$select=Title,Id,RoleAssignments/Member/Title,RoleAssignments/Member/Id,RoleAssignments/Member/IsHiddenInUI,RoleAssignments/Member/PrincipalType,RoleAssignments/RoleDefinitionBindings/Name,RoleAssignments/RoleDefinitionBindings/Order,RoleAssignments/Member/Users,RoleAssignments/Member/Groups,HasUniqueRoleAssignments&$filter=RoleAssignments/Member/IsHiddenInUI eq false&$orderby=RoleAssignments/Member/Title desc"; // {0} -> web Absolute Url, {1} -> GUID of list/library, ------------------ $filter doesn't work, $orderby doesn't work

返回的数据如图，和site permission的数据结构类似，内容就是在 List Permission或Library Permission页面看到的内容；(我的代码中，$filter和$orderby不起作用，可能是由于层级太多导致的，比如 RoleAssignments/Title就可以起作用，但达到三个层级 RoleAssignments/Member/Title时就不再起作用了)

6. 获取文件夹权限信息(folder permission):

var folderPermissionInfo = "{0}/_api/Web/GetFolderByServerRelativeUrl('{1}')/ListItemAllFields?$expand=RoleAssignments/Member,RoleAssignments/RoleDefinitionBindings&$select=RoleAssignments/Member/Title,RoleAssignments/Member/Id,RoleAssignments/Member/PrincipalType,RoleAssignments/RoleDefinitionBindings/Name,RoleAssignments/RoleDefinitionBindings/Order,HasUniqueRoleAssignments";  //{0} -> web Absolute Url, {1} -> server-relative url of folder

返回的数据如下，与列表权限的数据结构几乎一致；但是，此种方法不能用作获取Library权限信息；

7. 获取文件权限信息(file permission):

var filePermissionInfo = "{0}/_api/Web/GetFileByServerRelativeUrl('{1}')/ListItemAllFields?$expand=RoleAssignments/Member,RoleAssignments/RoleDefinitionBindings&$select=RoleAssignments/Member/Title,RoleAssignments/Member/Id,RoleAssignments/Member/PrincipalType,RoleAssignments/RoleDefinitionBindings/Name,RoleAssignments/RoleDefinitionBindings/Order,HasUniqueRoleAssignments"; //{0} -> web Absolute Url, {1} -> server-relative url of file

返回的数据如下，与文件夹权限的数据结构一致；

8. 获取用户组中的用户信息(users in a group):

var usersInGroupInfo = "{0}/_api/Web/SiteGroups/GetById({1})/Users?$orderby=Title"; //{0} -> web Absolute Url, {1} -> group ID

返回的数据如下，

9. 检查 站点、列表、文档库、文件夹或文件是否有独立权限：

var uniquePermissionOfSite = "{0}/_api/Web/HasUniqueRoleAssignments";  //{0} -> web Absolute Url
var uniquePermissionOfList = "{0}/_api/Web/Lists(guid'{1}')/HasUniqueRoleAssignments";  // {0} -> web Absolute Url, {1} -> guid of list/library
var uniquePermissionOfFolder = "{0}/_api/Web/GetFolderByServerRelativeUrl('{1}')/ListItemAllFields/HasUniqueRoleAssignments"; //{0} -> web Absolute Url, {1} -> server-relative url of folder
var uniquePermissionOfFile = "{0}/_api/Web/GetFileByServerRelativeUrl('{1}')/ListItemAllFields/HasUniqueRoleAssignments"; //{0} -> web Absolute Url, {1} -> server-relative url of file

10. 根据 Id 获取 用户、用户组，根据Id获取用户所处用户组，以及根据Id获取用户组中的用户；

//get user by id, {0} is web absolute url, {1} is user id
{0}/gb0acb/_api/Web/GetUserById({1})
//get groups of a user, {0} is web absolute url, {1} is user id
{0}/_api/Web/GetUserById({1})/groups

//get group by id, {0} is web absolute url, {1} is group id
{0}/_api/Web/sitegroups({1})
//get users in a group, {0} is web absolute url, {1} is group id
{0}/_api/Web/SiteGroups/GetById({1})/Users

11.