tags:

views:

60

answers:

2
+2  Q: 

SharePoint PublishingWeb change under elevated security context fails, why?

I'm having trouble updating a SharePoint publishingWeb attribute under RunWithElevatedPrivileges. it fails with the exception "The security validation for this page is invalid" at this line : "pubWeb.IncludeInCurrentNavigation = false;". Below is the code i'm trying to run. Normally you can set AllowUnsafeUpdates = true, but publishingWeb's don't have this special property.

My question is what is the proper way to update publishingWeb attributes in an elevated context?

            SPSecurity.RunWithElevatedPrivileges(delegate()
            {
                using (SPSite siteCollection = new SPSite(parentSiteUrl))
                {
                    //siteCollection.AllowUnsafeUpdates = true;
                    using (SPWeb web = siteCollection.OpenWeb(subSiteUrl))
                    {
                        //web.AllowUnsafeUpdates = true;
                        if (PublishingWeb.IsPublishingWeb(web))
                        {
                            // hide new sub-site from navigation elements.
                            PublishingWeb pubWeb = PublishingWeb.GetPublishingWeb(web);
                            pubWeb.IncludeInCurrentNavigation = false;
                            pubWeb.IncludeInGlobalNavigation = false;
                            pubWeb.Update();
                        }
                    }
                }
            });
+1  A: 

If this change occurs on a postback (a POST), you should be calling SPSecurity.ValidateFormDigest() before you make the change. AllowUnsafeUpdates is only used for http GET requests.

If it is a GET request, I would have expected the commented-out line to have worked, but since it's commented I presume it didn't. I would suggest you to use:

pubWeb.Web.AllowUnsafeUpdates = true

as a PublishingWeb is a wrapper for an SPWeb instance, which is accessible via the Web property. It's strange though, I would have expected the supplied SPWeb to have been the same instance (and as such your commented line should have worked.)

x0n  2010-09-06 18:31:17
This action is happening on postback. Given that do I need to combine SPSecurity.ValidateFormDigest() with pubWeb.Web.AllowUnsafeUpdates = true for this to work?
James  2010-09-06 18:38:17
No. ValidateFormDigest is for POST, AllowUnsafeUpdate is for GET. The point of the form digest is that it keeps the page tamper-free and "safe." A get request is considered unsafe because it's easy to tamper with the querystring that might be used in sensitive method calls. If you find yourself making the same changes in POST and GET, then revisit your design. You should strive for POST only.
x0n  2010-09-06 18:44:01
Given that these actions are on postback only, should "SPSecurity.ValidateFormDigest()" go inside of the RunWithElevatedPrivileges block or outside?
James  2010-09-06 19:01:09
Inside. But just looking at your code a bit closer - ValidateFormDigest only works for the context web; you are using explicit URLs so I will have to modify my advice - you should be using both pubWeb.Web.AllowUnsafeUpdates AND ValidateFormDigest. The former enables changes on the pubwebs, the latter ensures the current page has not been tampered with. Follow?
x0n  2010-09-06 19:09:18
umm, James? any further information? Fixed? If so, mark someone as answer if applicable. thx.
x0n  2010-09-12 21:40:07
+1  A: 

Was reading a bit about using this property

pubWeb.Navigation.ExcludeFromNavigation(true, web.ID);

instead of

pubWeb.IncludeInCurrentNavigation = false;

pubWeb.IncludeInGlobalNavigation = false;

Not sure if that is relevant to what your trying to accomplish.

SPSecurity.RunWithElevatedPrivileges(delegate()
                {
                    using (SPSite siteCollection = new SPSite(parentSiteUrl))
                    {
                        //siteCollection.AllowUnsafeUpdates = true;
                        using (SPWeb web = siteCollection.OpenWeb(subSiteUrl))
                        {
                            //web.AllowUnsafeUpdates = true;
                            if (PublishingWeb.IsPublishingWeb(web))
                            {
                                // hide new sub-site from navigation elements.
                                PublishingWeb pubWeb = PublishingWeb.GetPublishingWeb(web);
                                pubWeb.Navigation.ExcludeFromNavigation(true, web.ID);
                                pubWeb.Update();
                            }
                        }
                    }
                });
Shane  2010-09-07 19:00:20

related questions

Upgrading Sharepoint 3.0 to SQL 2005 Backend?
Webpart registration error in event log
Sharepoint COMException 0x81020037
Transactional Design Pattern
Deploying InfoPath forms to different SharePoint servers
Profiling/Optimizing (Sharepoint 2007) Web Parts
Retreiving the PC Name of a Client? (Windows Auth)
What's the best way to report errors from a SharePoint workflow?
How to get out parameters working in SharePoint workflows
Editing User Profile w/ Forms Authentication
WSS/MOSS Book
Creating a development environment for SharePoint.
Sharepoint Wikis
Have you used a wiki in your project or group?
Can I copy files to a Network Place from a script or the command line?
How do you deploy your SharePoint solutions?
SharePoint WSS 3.0 Integration with Mac OSX (either Safari or Firefox)
SharePoint - Connection String dialog box during FeatureActivated event
How can I improve the edit-compile-test loop when developing a SharePoint workflow?
Best ajax library for Sharepoint
Alternative Hostname for an IIS web site for internal access only
How to reference to multiple version assembly
MOSS SSP problem - Failed database logons from deleted SSP
Sharepoint: executing stsadm from a timer job + SHAREPOINT\System rights
Can ASP.NET AJAX partial rendering work inside a SharePoint 2007 application page?