cli-microsoft365: Bug report: Cannot add an owner to a site if I don't have access to the site already

Description

Some time ago we refactored the spo site classic set into the spo site set command and combined group site and regular site setting operations.

This has resulted in an issue. We can no longer set owners for a site if we are currently not an owner or site member of that site.

In other words, if I am a SharePoint administrator, I sometimes want to give myself access to site collections using scripts. But now I cannot.

This command is affected: https://pnp.github.io/cli-microsoft365/cmd/spo/site/site-set/

The reason for this situation is that the CLI first tries to retrieve if the site is a Group or not, right here

It does that using the site specific api, which it cannot access because the logged in user has no access yet.

I’m not sure how we should fix this yet. We had some thoughts on specific CRUD actions for Sitecollection admins, but these are currently nowhere near completion: #4173

What we could do is start using the tenant api to get the site details, (just like spo site list)

Steps to reproduce

Try to add your own account as an owner to a site you have no access to:

m365 spo site set --url "https://contoso.sharepoint.com/sites/some-site" --owners martin@contoso.com

Implementation

We’ve decided to switch from the /sites/somesite/_api/site to use an admin API. We’ll want to use the following API call to fetch the right information:

POST https://tenant-admin.sharepoint.com/_api/SPO.Tenant/RenderAdminListData

data:

{
    "parameters": {
        "ViewXml": "<View><Query><Where><Contains><FieldRef Name='SiteUrl'/><Value Type='Text'>https://tenant.sharepoint.com/sites/yoursite</Value></Contains></Where></Query><ViewFields><FieldRef Name=\"GroupId\"/><FieldRef Name=\"SiteId\"/><FieldRef Name=\"SiteUrl\"/></ViewFields></View>"
    }
}

We’ll want to place this functionality in a util function, so we can reuse it in other places. I’d suggest we add the following function to the spo.ts util function:

/**
 * Retrieves a Custom Actions from a SharePoint site by Id.
 * @param adminUrl URL of the SharePoint admin site
 * @param camlQuery An optional viewQuery to add to the CAML query between the <Query> tags.
 * @param viewFields An optional array of internal names of fields to include in the response.
 */
getTenantSites(adminUrl: string, camlQuery?: string, viewFields?: string[])

About this issue

Original URL
State: open
Created a year ago
Comments: 27 (27 by maintainers)

Most upvoted comments

Well, you need to add the xml envelope specific to this endpoint… (check out site-list.ts)

martinlingstuyl on Mar 1, 2023

Something I can work on?

nicodecleyre on May 10, 2023

By the way, out of curiosity, are you sure RenderListDataAsStream can handle the threshold limit? It’s basically an endpoint to send CAML queries to. CAML queries can also run into threshold limit errors. Do you have documentation to support this?

No official documentation found regarding that. Only that it’s the recommended approach when retrieving info from large lists and some blog posts that say it can handle the threshold limit

nicodecleyre on Mar 6, 2023

Thanks for the research @nicodecleyre!

martinlingstuyl on Mar 6, 2023

Let’s stick then with the first option and use RenderAdminListData, it’s the official api that the ui uses in the new SharePoint admin portal and it’s a wrapper over the RenderListDataAsStream, which can handle the 5000 threshold limit…

nicodecleyre on Mar 3, 2023

Maybe just an id? It should have one, although it might be named different…

doesn’t seem so… The same goes for spo site list, it doesn’t display an id

nicodecleyre on Mar 1, 2023