Power Pages Web API: PATCH by GUID returns 500 (9004010A) on Contact-scope table

(1) Share

Report

Posted on by bspangler

I'm creating a single-page application site in Power Pages and I have a custom Dataverse table (mytable) with a Contact-scope table permission (contactrelationship set to a lookup field pointing back to the current portal user) that is only partially working. The table permission has read: true, write: true, create: true.

What works

GET /_api/mytable?$select=...&$filter=...
- Collection GET with OData filter works correctly and respects Contact-scope (only returns the current user's records)
POST /_api/mytable
- Creating a new record with cd_Applicant@odata.bind: /contacts(...) works (204)

What fails

PATCH /_api/mytable(guid)
- Always returns 500 / 9004010A, regardless of body content
This is consistent with a known issue where GET /_api/mytable(guid) (direct by primary key) also returns 500 for Contact-scope tables

I have verified

The CSRF token (__RequestVerificationToken) is valid
- A 401 test with an invalid token confirms the token mechanism works
The Webapi/<table>/fields site setting has every field in the PATCH body explicitly listed (not *)
Content-Type: application/json and OData-Version: 4.0 headers are present
The record being PATCHed was created by the current portal user in the same session, so the Contact relationship is set correctly
Reducing the PATCH body to a single simple field ({"status_field": 0}) still returns the same error

Is PATCH by primary key simply not supported for Contact-scope tables in Power Pages Web API, the same way GET by primary key is not supported? If so, what is the recommended pattern for updating an existing Contact-scope record from a portal SPA/Code Site?

Categories:

I have the same question (0)

All responses (3)

Answers (0)

Suggested answer

Ajlan 237 on at

Like (0)

Report
Copy link

Link copied!

Hey,

Yes, this is a known limitation. PATCH /_api/mytable(guid) has the same issue as GET by primary key for Contact-scope tables, the permission join that validates record ownership simply doesn't run for direct-PK requests, hence the 9004010A error. It's not your CSRF token, headers, or site settings.
The fix is to use $filter instead of addressing the record by GUID in the URL:
PATCH /_api/mytable?$filter=mytable_id eq <your-guid>

Was this reply helpful? Yes No
bspangler 15 on at

Like (0)

Report
Copy link

Link copied!

@Ajlan thanks for confirming this is a known limitation! Unfortunately, when I tried the PATCH via $filter, I got the following error: failed (405): {"error":{"code":"9004010D","message":"Common Data Service error occurred.","cdscode":"","innererror":{"code":"","message":"The requested resource does not support http method 'PATCH'."}}}

Was this reply helpful? Yes No
Suggested answer

rezarizvii 35 on at

Like (0)

Report
Copy link

Link copied!
Hi, hope you're doing well.

For Contact-scoped permissions, the Web API doesn’t reliably support single-record operations by primary key. That’s why both:

GET /_api/mytable(guid)

PATCH /_api/mytable(guid)

blow up with 500 / 9004010A, even though collection queries respect the scope just fine.

If this reply helped you in any way, please give it a Like 💜 and in case it resolved your issue, please mark it as the Verified Answer ✅.

Was this reply helpful? Yes No