Deprecated: strpos(): Passing null to parameter #1 ($haystack) of type string is deprecated in /www/collab365_296/public/wp-includes/functions.php on line 7025

Deprecated: str_replace(): Passing null to parameter #3 ($subject) of type array|string is deprecated in /www/collab365_296/public/wp-includes/functions.php on line 2162

Deprecated: Hook imagify_allow_picture_tags_for_webp is deprecated since version 2.2! Use imagify_allow_picture_tags_for_nextgen instead. in /www/collab365_296/public/wp-includes/functions.php on line 5758
Manage SharePoint List Items without having Permission on List using SharePoint 2013/Office 365 Designer Workflow - Collab365
Deprecated: strstr(): Passing null to parameter #1 ($haystack) of type string is deprecated in /www/collab365_296/public/wp-includes/functions.php on line 1145

Deprecated: stripos(): Passing null to parameter #1 ($haystack) of type string is deprecated in /www/collab365_296/public/wp-includes/functions.php on line 1152

Deprecated: stripos(): Passing null to parameter #1 ($haystack) of type string is deprecated in /www/collab365_296/public/wp-includes/functions.php on line 1155

Deprecated: strpos(): Passing null to parameter #1 ($haystack) of type string is deprecated in /www/collab365_296/public/wp-includes/functions.php on line 1162

Deprecated: strpos(): Passing null to parameter #1 ($haystack) of type string is deprecated in /www/collab365_296/public/wp-includes/functions.php on line 1165

Deprecated: strstr(): Passing null to parameter #1 ($haystack) of type string is deprecated in /www/collab365_296/public/wp-includes/functions.php on line 1145

Deprecated: stripos(): Passing null to parameter #1 ($haystack) of type string is deprecated in /www/collab365_296/public/wp-includes/functions.php on line 1152

Deprecated: stripos(): Passing null to parameter #1 ($haystack) of type string is deprecated in /www/collab365_296/public/wp-includes/functions.php on line 1155

Deprecated: strpos(): Passing null to parameter #1 ($haystack) of type string is deprecated in /www/collab365_296/public/wp-includes/functions.php on line 1162

Deprecated: strpos(): Passing null to parameter #1 ($haystack) of type string is deprecated in /www/collab365_296/public/wp-includes/functions.php on line 1165

Warning: Undefined array key "url" in /www/collab365_296/public/wp-content/plugins/thrive-visual-editor/thrive-dashboard/inc/smart-site/classes/class-tvd-smart-shortcodes.php on line 85

Manage SharePoint List Items without having Permission on List using SharePoint 2013/Office 365 Designer Workflow

Author Image

by Hemant Patel

2015-10-03

Share 0
Tweet 0
Pin 0

Creating SharePoint List Item where I don’t have access  on that List

I have already discussed SharePoint 2013/Office 365 security issue/bug on SharePoint Community discussion board before two days on below link:

https://collab365.org/topics/without-permissions-you-can-perform-read-write-delete-operations 

Today, On Office 365 environment, I have created one workflow, using App step, which perform Item creation operation on the list on which user doesn’t have permission.

I have two SharePoint Custom Lists

  • Full Permission List (User Hemant has a full control)
  • Unique Permission List (User Hemat does  not have a rights)

Full Permission List, where user (Hemant) has full permission on that list as below.

Unique Permission List, where user (Hemant) doesnot have permission on that list as below, He cannot perform add/update/delete operations.

As an Ideal scenario, if I  will try to add item to “Unique Permission List” then I have no rights in the “Unique Permission List”. So I can not add item to “Unique Permission List”.

But, I  have a full rights to create item in “Full Permission List“. I can also create workflow on the “Full Permission List“.

So, now I will create workflow on “Full Permission List” and  in Workflow I will add one “App Step” activity. “App Step” activity run under the elevated previlages.

Now using “App Step” activity I will create one list item in “Unique Permission List” shown as below.

 As “App Step” activity runs under elevated privilages, It will also  create an item in “Unique Permission List“.

So, even I  don’t have a permission on “Unique Permission List” I have successfully created item in “Unique Permission List

Let’s check the Full  Flow :

1> I (Hemant) will login and create item in “Full Permission List” shown as below.

2> Item will be added in “Full Permission List” shown as below. Simultaneously, It will also add an item in “Unique Permission List” in which I do not have a permission

3> Now, I will login in as different user who has permission on “Unique Permission List” to view newly added item using “App Step” shown as below.

So, we’ve created a workflow which will add data from “Full Permission List” to “Unique Permission List” with user “Hemant”.

Ideal scenario : Data should be not added to “Unique Permission List” as Hemant do not have a permission on list

Actual Scenario: Data get added in “Unique Permission List”  as we have used “App Step” activity in the workflow which runs under the elevated privileges.

So, can consider this scenario as a security loophole or bug  of Microsoft SharePoint 2013/Office 365?

I have tested this scenario by just adding item in the list in which I do not have permission. You can find more updates from: https://community.office365.com/en-us/f/148/t/411719

But, by following this trick even I can destroy the list item and even list as well.

Please provide your views!!

Thanks!!

(Visited 365 times, 1 visits today)
Author Image
Share0
Tweet0

About the author 

Hemant Patel

Summit Bundle

Get 200+ hours of Microsoft 365 Training for 27$!

Master Office 365, Power Platform & SharePoint & Teams With 200+ Hours Of Training Videos and 108 Ebooks in the Collab365 Academy. This offer is insane and is only available for a limited period. 

Get 200+ hours training for 27$