Hubsite REST API is not consistent for user with read permissions

[sebastienlevert]

Category

• Question
• Typo
• Bug
• Additional article idea

Expected or Desired Behavior

When calling the Hubsite REST API with the GetById method, I should be able to get information about the hub if I have access anywhere within it.

Observed Behavior

Behaviors change between tenants but the following behavior is seen on multiple tenants right now.

When requesting a hub with a hubsiteid that exists and should work, we get an access denied error :

<m:error xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata">
    <m:code>-2147024891, System.UnauthorizedAccessException</m:code>
    <m:message xml:lang="en-US">
        Access denied. You do not have permission to perform this action or access this resource.
    </m:message>
</m:error>

I believe this resource should always return data if the connected user has access to any site that is associated to the hub.

Steps to Reproduce

1. Create a new site
2. Register it as a hub
3. Add a reader accounts to the root of the hub
4. Connect to the site with the reader account
5. Run the following REST call in your browser https://tenant.sharepoint.com/_api/HubSites/GetById?hubSiteId='f93eff08-5806-499c-92db-38800eefbe44'

On some tenants this will work all the time, some tenants will have different behavior based on the hub (nothing different between hubs) and some tenants will never work.

I also validated that no "specific" rights were assigned to "join" a hub on those hubs (for example, using the Grant-PnPHubsiteRights Cmdlet.

Discussion

I'm about to thing that this API should not be public as I can update the hub using the GetById method (which seems... weird?) and could also expose data to readers that they should not see (the ACLs of which users / groups can or cannot create sites joined to the hub.

[msft-github-bot]

Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.

[sebastienlevert]

I'm reopening this one as we have started to see new reports of these APIs being unstable. Are they meant to be used or not? Not, users with read permissions on ALL the sites within a hubsite, including the hubsite, can't read the hubsite API as it's empty.

[tioger]

Same error when i call _api/hubsites with a new account, i try to put the user on full control and same problem.
I put the same user on Site Collection Admin and the _api/hubsites still empty for this user.

[jb-pushkar]

While working with GET /_api/HubSites I'm receiving the below error.
{ "odata.error": { "code": "-2147024891, System.UnauthorizedAccessException", "message": { "lang": "en-US", "value": "Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))" } } }
Further, while generating the creds I followed the attached SharePoint add-ins permission request scope URIs and their corresponding aliases
Through this, I was able to give all the permission to my clientId. But still, I'm receiving the System.UnauthorizedAccessException

[github-actions]

Thank you for taking the time to file an issue. We periodically archive older or inactive issues as part of our issue management process, which automatically closes them once they are archived.

If you’d like to understand more about why and how we handle archived (closed) issues, please see Our approach to closed issues.

We appreciate your contribution and if this is still an active issue with the latest SPFx versions, please do resubmit the details. We needed to perform a cleanup, so that we can start with a clean table with a new process. We apologize for the inconvenience this might cause.