I have a C# MVC Web Application which embeds PowerBI reports.
Here is our embed config
var config = {
type: 'report',
id: embedReportId,
accessToken: accessToken,
tokenType: models.TokenType.Embed,
embedUrl: embedUrl,
permissions: models.Permissions.View,
settings: {
filterPaneEnabled: false,
navContentPaneEnabled: true,
background: models.BackgroundType.Transparent,
layoutType: models.LayoutType.Custom,
customLayout: {
displayOption: models.DisplayOption.FitToWidth
}
}
};
You mentioned the viewMode property in your question. As you can see we do not even set the viewMode property in our config. We only set the permissions property but as far as I can tell it doesn't do much. This property is rarely used or only controls minor things you can see on the UI.
If you generate the access token like you are for "View" and someone edits the embedding report viewer page to change the permission property from models.Permissions.View to models.Permissions.ReadWrite in the HTML/javascript any subequent calls the PowerBI JavaScript library attempts to make after that report viewer page edit would fail because the accesss token that was generated is for View and not Edit and the API calls to Microsoft/PowerBI would fail.
So you really just need to make sure your back end logic is generating the correct access token for whatever the viewing context is. If you were generating an access token with full permissions and using the PowerBI javascript library to hide things then users could potentially alter your page source and do more than you wanted.
Good luck
