views:

484

answers:

3

Is it possible to run STSADM from an ASP.NET application that is residing in the _layouts folder?

I have copied this code on this page.

When it runs the return message is Access Denied.

+3  A: 

Likely you need to give access to the ASP.NET application pool account for the SharePoint app in question to execute stsadm if that's what you're trying. Or if you're impersonating accounts, then to the impersonated user(s) in question. You'll also need to give the app pool account collateral privileges for all the SharePoint stuff it's operating on (SQL Server, SharePoint stuffs, etc.)

CAUTION: This could open up all sorts of risks, running STSADM from the Internet/Intranet can do all sorts of things I dare not think about. Be very wary of injection attacks into stsadm command executions and people elevating privilege to execute stsadm that have no business doing so. Can you think of a better way to do what you're trying to do?

tekiegreg
+3  A: 

Process.Start will cause STSADM to run under the ASPNET worker process account

So if you give this account permission to use STSADM then you have to be sure that your web page correctly restricts what can be done and by whom

+10 for tekiegreg's CAUTION comment - if you get this wrong it could go nuclear!

Perhaps a better way to do this is to use the object model Microsoft.SharePoint.Administration as most everything that can be done though STSADM can be done through the object model as of WSSv3

This will have a few advantages 1) No parsing of console.out strings 2) You should be able to impersonate the authenticated user so then STSADM/SharePoint become responsible for determining what the user is allowed to do.

Ryan
Excellent points, I didn't realize the SharePoint Admin objects could do so much, also yeah it's the worker process account not the app pool account. Live and learn is what StackOverflow is about.
tekiegreg
A: 

Thanks Ryan for pointing out the Object Model Class. That is the route I will go.

hobbyman