SharePoint: Unique list permissions: The server was unable to save the form at this time
Consider the following scenario:
You break permission inheritance on a list and give some users permission to only that list.
The users can browse to the list, but when they try to add an item to the list or edit an existing item, the following error occurs:
The server was unable to save the form at this time. Please try again
Cause:
This happens if the “UseRemoteAPIs” permission is removed from the “Limited Access” permission level.
“UseRemoteAPIs” is required to add and edit items in SharePoint 2013 and 2016 because a Client-Side Object Model (CSOM) call is made to complete the update.
The “UseRemoteAPIs” permission can be either removed manually, or by activating the “Limited-access user permission lockdown mode” (ViewFormPagesLockDown) site collection feature.
Note: Sites created using the “Publishing Portal” site template will have this feature activated by default.
This feature removes the ViewFormPages and UseRemoteAPIs permissions from the “Limited Access” permission level, in which case, “Limited Access” will only contain these permissions:
Open, BrowseUserInfo, UseClientIntegration
Turning off the feature results in an update to the Limited Access permission level to match an out-of-box Team site:
Open, BrowseUserInfo, UseClientIntegration, UseRemoteAPIs, ViewFormPages
You can use this PowerShell to check the Limited Access permission level on the problem site:
$siteCollectionUrl = Get-SPWeb -Identity “http://team.contoso.com”
$lmtd = $siteCollectionUrl.RoleDefinitions[‘Limited Access’]
$lmtd.BasePermissions
Resolution:
Deactivate the “Limited-access user permission lockdown mode” site collection feature.
This can be done in Site Settings | Site Collection Features, or by using PowerShell like this:
Disable-SPFeature -URL “http://team.contoso.com” -Identity ViewFormPagesLockDown
If the feature is already disabled, then you could try toggling it, or simply use the following PowerShell to manually add the proper permissions back to the “Limited Access” permission level:
$siteCollectionUrl = Get-SPWeb -Identity “http://team.contoso.com”
$lmtd = $siteCollectionUrl.RoleDefinitions[‘Limited Access’]
$b1 = [Microsoft.sharepoint.spbasepermissions]::ViewFormPages
$b2 = [Microsoft.sharepoint.spbasepermissions]::Open
$b3 = [Microsoft.sharepoint.spbasepermissions]::BrowseUserInfo
$b4 = [Microsoft.sharepoint.spbasepermissions]::UseClientIntegration
$b5 = [Microsoft.sharepoint.spbasepermissions]::UseRemoteAPIs
$lmtd.BasePermissions = “$b1,$b2,$b3,$b4,$b5”
$lmtd.Update()
Data Capture:
This is what you’d see in a Fiddler trace:
Client Request: (POST:http://team.contoso.com/_vti_bin/client.svc/ProcessQuery)
Server Response:
{
“SchemaVersion”:”15.0.0.0″,”LibraryVersion”:”15.0.4905.1000″,”ErrorInfo”:{
“ErrorMessage”:”Access denied. You do not have permission to perform this action or access this resource.”,”ErrorValue”:null,”TraceCorrelationId”:” f682929e-089c-0012-0b83-1d144a5deb75“,”ErrorCode”:-2147024891,”ErrorTypeName”:”System.UnauthorizedAccessException”
},”TraceCorrelationId”:”f682929e-089c-0012-0b83-1d144a5deb75“
}
]
And this is what you’d see in the SharePoint ULS logs:
09/26/2018 08:12:39.10 w3wp.exe (0x29F0) 0x0868 SharePoint Foundation CSOM ajwqj Medium Request does not have SPBasePermissions.UseRemoteAPIs permission. Need to check it when each API is accessed f682929e-089c-0012-0b83-1d144a5deb75
09/26/2018 08:12:39.10 w3wp.exe (0x29F0) 0x0868 SharePoint Foundation CSOM ajwqh High The request does not have required permission to access SP.RequestContext.Current f682929e-089c-0012-0b83-1d144a5deb75
09/26/2018 08:12:39.10 w3wp.exe (0x29F0) 0x0868 SharePoint Foundation CSOM ahjq1 High Exception occured in scope Microsoft.SharePoint.SPContext.get_Current. Exception=System.UnauthorizedAccessException: Attempted to perform an unauthorized operation. at Microsoft.SharePoint.Client.ServerStub.CheckRequiredResourceRight(ProxyContext proxyContext, String memberName, ResourceRight right) at Microsoft.SharePoint.Client.ServerStub.CheckBlockedGetProperty(String propName, ProxyContext proxyContext) at Microsoft.SharePoint.ServerStub.SPContextServerStub.GetStaticProperty(String propName, ProxyContext proxyContext) at Microsoft.SharePoint.Client.ServerStub.GetStaticPropertyWithMonitoredScope(String propertyName, ProxyContext proxyContext) f682929e-089c-0012-0b83-1d144a5deb75
09/26/2018 08:12:39.10 w3wp.exe (0x29F0) 0x0868 SharePoint Foundation CSOM agmjp High Original error: System.UnauthorizedAccessException: Attempted to perform an unauthorized operation. at Microsoft.SharePoint.Client.ServerStub.CheckRequiredResourceRight(ProxyContext proxyContext, String memberName, ResourceRight right) at Microsoft.SharePoint.Client.ServerStub.CheckBlockedGetProperty(String propName, ProxyContext proxyContext) at Microsoft.SharePoint.ServerStub.SPContextServerStub.GetStaticProperty(String propName, ProxyContext proxyContext) at Microsoft.SharePoint.Client.ServerStub.GetStaticPropertyWithMonitoredScope(String propertyName, ProxyContext proxyContext) f682929e-089c-0012-0b83-1d144a5deb75
09/26/2018 08:12:39.10 w3wp.exe (0x29F0) 0x0868 SharePoint Portal Server Microfeeds aizmo Medium SocialRESTExceptionProcessingHandler.DoServerExceptionProcessing – SharePoint Server Exception [System.UnauthorizedAccessException: Attempted to perform an unauthorized operation. at Microsoft.SharePoint.Client.ServerStub.CheckRequiredResourceRight(ProxyContext proxyContext, String memberName, ResourceRight right) at Microsoft.SharePoint.Client.ServerStub.CheckBlockedGetProperty(String propName, ProxyContext proxyContext) at Microsoft.SharePoint.ServerStub.SPContextServerStub.GetStaticProperty(String propName, ProxyContext proxyContext) at Microsoft.SharePoint.Client.ServerStub.GetStaticPropertyWithMonitoredScope(String propertyName, ProxyContext proxyContext)] f682929e-089c-0012-0b83-1d144a5deb75
09/26/2018 08:12:39.10 w3wp.exe (0x29F0) 0x0868 SharePoint Foundation Authentication Authorization alkvd Medium Throw UnauthorizedAccessException instead of SPUtilityInternal.Send401 for client.svc request. f682929e-089c-0012-0b83-1d144a5deb75
09/26/2018 08:12:39.10 w3wp.exe (0x29F0) 0x0868 SharePoint Foundation CSOM agmjp High Original error: System.UnauthorizedAccessException: Attempted to perform an unauthorized operation. at Microsoft.SharePoint.Client.ServerStub.CheckRequiredResourceRight(ProxyContext proxyContext, String memberName, ResourceRight right) at Microsoft.SharePoint.Client.ServerStub.CheckBlockedGetProperty(String propName, ProxyContext proxyContext) at Microsoft.SharePoint.ServerStub.SPContextServerStub.GetStaticProperty(String propName, ProxyContext proxyContext) at Microsoft.SharePoint.Client.ServerStub.GetStaticPropertyWithMonitoredScope(String propertyName, ProxyContext proxyContext) at Microsoft.SharePoint.Client.ClientMethodsProcessor.InvokeStaticGetProperty(String typeId, String propName) at Microsoft.SharePoint.Client.ClientMethodsProcessor.GetObjectFromObjectPath(XmlElement xe) at Microsoft.SharePoint.Client.ClientMethodsProcessor.GetObjectFromObjectPathId(String objectPathId) at Microsoft.SharePoint.Client.ClientMethodsProcessor.ProcessInstantiateObjectPath(XmlElement xe) at Microsoft.SharePoint.Client.ClientMethodsProcessor.ProcessOne(XmlElement xe) at Microsoft.SharePoint.Client.ClientMethodsProcessor.ProcessStatements(XmlNode xe) at Microsoft.SharePoint.Client.ClientMethodsProcessor.Process() f682929e-089c-0012-0b83-1d144a5deb75
09/26/2018 08:12:39.10 w3wp.exe (0x29F0) 0x0868 SharePoint Portal Server Microfeeds aizmo Medium SocialRESTExceptionProcessingHandler.DoServerExceptionProcessing – SharePoint Server Exception [System.UnauthorizedAccessException: Attempted to perform an unauthorized operation. at Microsoft.SharePoint.Client.ServerStub.CheckRequiredResourceRight(ProxyContext proxyContext, String memberName, ResourceRight right) at Microsoft.SharePoint.Client.ServerStub.CheckBlockedGetProperty(String propName, ProxyContext proxyContext) at Microsoft.SharePoint.ServerStub.SPContextServerStub.GetStaticProperty(String propName, ProxyContext proxyContext) at Microsoft.SharePoint.Client.ServerStub.GetStaticPropertyWithMonitoredScope(String propertyName, ProxyContext proxyContext) at Microsoft.SharePoint.Client.ClientMethodsProcessor.InvokeStaticGetProperty(String typeId, String propName) at Microsoft.SharePoint.Client.ClientMethodsProcessor.GetObjectFromObjectPath(XmlElement xe) at Microsoft.SharePoint.Client.ClientMethodsProcessor.GetObjectFromObjectPathId(String objectPathId) at Microsoft.SharePoint.Client.ClientMethodsProcessor.ProcessInstantiateObjectPath(XmlElement xe) at Microsoft.SharePoint.Client.ClientMethodsProcessor.ProcessOne(XmlElement xe) at Microsoft.SharePoint.Client.ClientMethodsProcessor.ProcessStatements(XmlNode xe) at Microsoft.SharePoint.Client.ClientMethodsProcessor.Process()] f682929e-089c-0012-0b83-1d144a5deb75