ansaurus

Question

Answer 1

+2 A:

Does the user that is executing the commands have permissions to run the commands? Based on documentation, it appears that you are disabling security validation when you set that property to false.

A better way to get "super user" permissions to execute a command that the current user doesn't have permissions to run is to use SPSecurity.RunWithElevatedPrivileges

SPSecurity.RunWithElevatedPrivileges(delegate() 
{
    // Note: It's important that you create all new SPSite and SPWeb
    // objects in the elevated context in order to actually use elevated
    // privileges. Failure to do so will cause your code to execute
    // without elevated privileges.
    using(SPSite site = new SPSite(SPContext.Current.Site.ID))
    {
        using(SPWeb web = site.OpenWeb(SPContext.Current.Web.ID))
        {
             // run code here that requires elevated privileges.
        }
    }
});

Kyle Trauberman 2010-02-25 05:40:42

So, 1. SPWebApplication.FormDigestSettings.Enabled is used to disable user permission checking? 2. Using impersonation could achieve the same goal? 3. End user is accessing from web, and IIS is using user identity account of worker process to execute, I am wondering for user permission checking using SPWebApplication.FormDigestSettings.Enabled = true, does SharePoint check permission against IIS worker process identity or some other identity?

George2 2010-02-25 05:45:49

1. It appears that is the case, yes. 2. using this method of impersonation causes the code to be run as the "System Account", with all permissions associated with it. This account is usually the service account configured in IIS. 3. Sharepoint uses the currently logged in user's identity to execute code, and if the current user doesn't have permissions, then you get access denied errors.

Kyle Trauberman 2010-02-25 06:03:45

So for 3, it means if user who is SharePoint web application administrator, who has permission to create a sub-site, there is no need to use the code block you provided? And for a normal user, we need such code?

George2 2010-02-25 06:19:23

That is correct.

Kyle Trauberman 2010-02-25 06:35:49

There is a better, more stable way to execute command with system permissions as mentioned here: http://solutionizing.net/2009/01/06/elegant-spsite-elevation/More stable, as it will not swap thread identity. I had issues with RunWithElevatedPrivileges in some places and just using SPSite constructor, providing system account user token, resolved it.Reasons can be seen here: http://soumya-sharepointblog.blogspot.com/2008/07/sharepoint-elevated-privilege-without.html

Janis Veinbergs 2010-02-25 07:12:29

Cool, question answered!

George2 2010-02-25 07:17:28

ansaurus

tags:

views:

answers:

SharePoint security programming issue

related questions