Allots of People ask Question’s
on MSDN SharePoint 2013 forums. how they can host app on their public site. They
want to use App Modules for Public facing site which have anonymous right or
current user does not have permissions to. something like Elevate Privileges in
developer`s term Elevate Privileges in App Module. What i think Many developer start working API
by small tutorials , sample code ,HOL and didn't understand what SharePoint
2013 New API is doing. new App Module is away with normally impersonation
confusion and make it very clear for developers there is no impersonation capability in the SharePoint
2013 API . so if Elevate Privileges ,impersonation is not
there how can get thing to be done?. SO
answer is the "App Only Policy".
The App Only Policy
In a Scenario App have to some work where current user does not
have Permission. We will use “The App Only Policy”. When user did not provide
any Kind of credential. An Oath access token is present but does not contain
user information. than we will evaluated
the permissions based App instead of
user.
Authorization in SharePoint 2013 is divided in to two types
of Entities.
1st Permission for
users.
2nd Permission for Apps.
App authorization policies types
User + app policy—When
the user + app policy is used, the authorization checks take into account both
the user identity and the app identity. In particular, when this policy is
used, authorization checks succeed only if both the current user and the app
have sufficient permissions to perform the action in question.
An example of when this policy is used is when a SharePoint
site has an embedded IFRAME that links to a Office Store app, and the app calls
back to SharePoint to access SharePoint resources on behalf of the user. That
is, when a Office Store app, which does not run in SharePoint Server, wants to
act on behalf of the user to get access to the user's resources.
App-only policy—When
the app-only policy is used, the content database authorization checks take
into account only the app identity. In particular, when this policy is used, an
authorization check succeeds only if the current app has sufficient permissions
to perform the action in question, regardless of the permissions of the current
user (if any).
Oath requires to generate App token. So App- Only Policy can
only be used for Auto Hosted Apps
or Provider Hosted Apps.
SharePoint hosted Apps cannot use App-only policy.
To request app
to use App-only policy your app
need to add attribute called “AllowAppOnlyPolicy” in tag node of AppPermissionRequests with true value. User
Must be Site Collection Administrator for allow use of the app-only
policy.
On Code
Reference and Helpful Links
http://code.msdn.microsoft.com/office/SharePoint-2013-Make-app-6e3d1ee9
By Usama Wahab Khan