I’ve built a SharePoint 2013 app that requests permissions on the fly via OAuth. The scope being requested is
Web.Write. I’ve been able to authorize this app as a SharePoint user part of the Team Site Owners group since that group gives the user Full Control. However, I receive an access_denied error code in the redirect if I’m a “normal” user part of Team Site Members.
I gradually added increasing levels of permissions for the user and it appears that in addition to the Edit permission granted to the user by virtue of being in Team Site Members, the user also requires “Manage Permissions”, “Create Subsites” and “Manage Web Site”, which doesn’t make much sense to me. Even the scope
List.Read requires this level of permissions to complete the OAuth flow.
Is there a workaround possible that allows normal SharePoint users to grant access to data they can edit without having to get their admin involved?
For example, here is a screenshot of the page when requesting Web.Write scope and the ‘Create Subsites’ permission isn’t provided to the user:
(The actual domain has been replaced with “example.com”)