in connectors/sources/sharepoint_online.py [0:0]
def _has_limited_access(role_assignment):
bindings = role_assignment.get("RoleDefinitionBindings", [])
# If there is no permission information, default to restrict access
if not bindings:
self._logger.debug(
f"No RoleDefinitionBindings found for '{role_assignment.get('odata.id')}'"
)
return True
# if any binding grants view access, this role assignment's member has view access
for binding in bindings:
# full explanation of the bit-math: https://stackoverflow.com/questions/51897160/how-to-parse-getusereffectivepermissions-sharepoint-response-in-java
# this approach was confirmed as valid by a Microsoft Sr. Support Escalation Engineer
base_permission_low = int(
nested_get_from_dict(binding, ["BasePermissions", "Low"], "0") # pyright: ignore
)
role_type_kind = binding.get("RoleTypeKind", 0)
if (
(base_permission_low & VIEW_ITEM_MASK)
or (base_permission_low & VIEW_PAGE_MASK)
or (role_type_kind in VIEW_ROLE_TYPES)
):
return False
return (
True # no evidence of view access was found, so assuming limited access
)