locked
Access Denied with SPControlMode.New and RunWithElevatedPriviliges RRS feed

  • Question

  • I am trying to add MultipleLookupField to a webpart I am developing. It works fine as long as the user has Add permission on the list it points to: here is the code:

    private MultipleLookupField _multiplelookupKeywords = new MultipleLookupField();
    protected override void CreateChildControls()
    {
    Guid guidSite = SPContext.Current.Site.ID;
    Guid guidWeb = SPContext.Current.Web.ID;
    SPSecurity.RunWithElevatedPrivileges(delegate()
    {
        using (SPSite site = new SPSite(guidSite))
        {
            using (SPWeb web = site.OpenWeb(guidWeb))
            {           
      SPList listTest;   
      listTest = web.Lists[ListName]; 
      _multiplelookupKeywords.ListId = listTest.ID;
                    _multiplelookupKeywords.ControlMode = SPControlMode.New; //Changing this to SPControlMode.Display works fine
                    _multiplelookupKeywords.RenderContext = SPContext.GetContext(web);
                    _multiplelookupKeywords.ItemContext = SPContext.GetContext(web);
                    _multiplelookupKeywords.CssClass = "ms-long";

      Controls.Add(_multiplelookupKeywords); //ACCESS DENIED ERROR
     }
        }
    }  
    }

    so if the user has permissions to add to listTest list then the code works fine but if they dont it errors out saying access denied. I want users with Read rights to be able to see this web part which is why i am using RunWithElevatedPriviliges but its not helping. Any idea whats wrong here?

    One weird thing i have noticed is during debugging if i watch web.CurrentUser it points to SHAREPOINT\System which is good as its within REWP block but if i do SPContext.GetContext(web).Web.CurrentUser its value is the current logged in user and not SHAREPOINT\System.

    Wednesday, July 21, 2010 5:21 PM

All replies

  • Here is a post on a similar access denied issue while using elevated privileges.

    http://zieglers.wordpress.com/2010/07/07/event-receiver-not-firing-when-document-is-created-using-office/

    "Running code with elevated privileges does NOT always guarantee that you will not get an “Access Denied” error. Security context of objects are still to be checked even though your code executes with elevated privileges."

    Please note Usage-3 of above article. The reason you are getting "access denied error" is very similar. In your code you are working with current context and not creating a new one. Make sure object instances you want to modify in your elevated code is initiated in the same block.

    Hope this helps.

    zieglers

     


    MCTS,MCPD,MCITP,MCT http://zieglers.wordpress.com/

    Wednesday, July 21, 2010 8:35 PM
  • thanks for the response but can you tell me where am i using current context where i should be using elevated context?

    Wednesday, July 21, 2010 9:28 PM
  • You Controls objects are created using the old context which is not executed as elevated privilege. I think that's what causes this issue.

    - I think that you can store the current context into another object

    - Change the current context to the elevated one

    - Do you Controls.add operation

    - Restore the old context.

    I think doing it that way , i would work.

    Thursday, July 22, 2010 12:39 PM
  • Controls.add is inside the elevated block. I am not sure what i am missing here.

    I have used a workaround where i created a hidden list and used MultipleLookupField value from there which has contribute permissions. I would like to know the right way of handling it through elevated priviliges

    Thursday, July 22, 2010 10:58 PM
  • Hi,

    These are the 2 lines in the above code, which are accessing the current context:

    _multiplelookupKeywords.RenderContext = SPContext.GetContext(web);
     _multiplelookupKeywords.ItemContext = SPContext.GetContext(web);

    We need to get the new web object inside the elevated blocks. Check & let us know the results.


    AnjaliCH-MSFT
    Tuesday, August 3, 2010 2:03 PM
  • web is elevated unless i am missing something
    Saturday, August 7, 2010 7:07 PM
  • Hi,

    Few queries from your original questions:

    .....One weird thing i have noticed is during debugging if i watch web.CurrentUser it points to SHAREPOINT\System which is good as its within REWP block but if i do SPContext.GetContext(web).Web.CurrentUser its value is the current logged in user and not SHAREPOINT\System.

             THIS is not weird, Its expected behavior. SPContext will always show the current logged in user though you are running code under run with elevated  privileges. SPContext  object is built  for the current logged in user.

     ..........so if the user has permissions to add to listTest list then the code works fine but if they don’t it errors out saying access denied. I want users with Read rights to be able to see this web part which is why i am using RunWithElevatedPriviliges but it’s not helping. Any idea what’s wrong here?

        Q. Where is the Webpart placed, in which aspx page? (It has to be DisplayForm.aspx as end users are readers)

         You are using _multiplelookupKeywords.ControlMode = SPControlMode.New ,  end user who are readers will always get the error. It’s actually not the exact error. The internal error is different. This makes check if the current user that is the logged in user has rights to add Item or not. (The check is done against the SPContext user)

    Good Link to begin with: http://msdn.microsoft.com/en-us/library/bb466220(office.12).aspx

    Share your views.


    AnjaliCH-MSFT
    • Proposed as answer by Anjali Ch -MSFT Tuesday, September 7, 2010 9:43 PM
    • Marked as answer by Wayne Fan Friday, September 10, 2010 1:05 AM
    • Unmarked as answer by Mike Walsh FIN Saturday, July 16, 2011 10:09 AM
    • Unproposed as answer by Mike Walsh FIN Saturday, July 16, 2011 10:10 AM
    Tuesday, August 24, 2010 7:59 PM
  • Thanks for the response Anjali, but here are my doubts:

    I thought SPContext.Current gives the current context which is why I tried to get the context of the elevated web SPContext.GetContext(elevatedWeb)

    http://msdn.microsoft.com/en-us/library/ms442657.aspx

    I think _multiplelookupKeywords.ControlMode = SPControlMode.New will resolve if its rendering context is elevated web context.

    Wednesday, August 25, 2010 1:55 PM
  • Hi,

     

     

     

    To conclude, lets explain this way. To further drill : Check on SPContext Class in reflector:

     

    Method:

     

    public static SPContext GetContext(SPWeb web)

    {

        SPContext context;

        if (web == null)

        {

            throw SPUtility.GetStandardArgumentNullException("web");

        }

        if (HttpContext.Current != null)

        {

            context = GetContext(HttpContext.Current);

            if ((context.Web != null) && (context.Web.ID == web.ID))

            {

                return context;

            }

            context = null;

        }

        if (web.Context == null)

        {

            context = new SPContext(null, 0, Guid.Empty, web);

            web.Context = context;

        }

        return web.Context;

    }

     

     

    Conclusion:

    1. It’s actually returning the HTTPContext

    2. HTTPContext will always returns current logged in user. It has no idea about RunWithElevatedPriviliges

    Share your views/queries.

     

    • Edited by Anjali Ch -MSFT Tuesday, September 7, 2010 9:40 PM Edited
    • Proposed as answer by Anjali Ch -MSFT Wednesday, September 8, 2010 1:04 PM
    • Marked as answer by Wayne Fan Friday, September 10, 2010 1:05 AM
    • Unmarked as answer by Mike Walsh FIN Saturday, July 16, 2011 10:10 AM
    • Unproposed as answer by Mike Walsh FIN Saturday, July 16, 2011 10:10 AM
    Tuesday, September 7, 2010 9:18 PM
  • Not 100% sure.  Could you move "MultipleLookupField _multiplelookupKeywords = new MultipleLookupField();" into "SPSecurity.RunWithElevatedPrivileges()" ?


    Wednesday, September 8, 2010 1:08 AM
  • To conclude, lets explain this way. To further drill : Check on SPContext Class in reflector: 

     

    So does it mean that we cant user field controls to add new item in list for anonymous user until we give add permissions to anonymous user on the list?

    If we give add permissions on list to anonymous user than anyone can add items in the list via web service or client object model which is gonna be a security issue.
    Is there any way out?




     

    • Edited by Mike Walsh FIN Saturday, July 16, 2011 10:09 AM do not waste screen space with full quote
    Saturday, July 16, 2011 8:47 AM
  • Calling the SetContextWeb method of BaseFieldControl class and passing the elevated web object to it made it working without giving ant permissions over list.

    Tuesday, July 19, 2011 12:04 PM
  • Hello!

    Try to create a new MultipleLookupFiled inside block RunWithElevatedPrivileges

     

    Thanks!


    .Net Follower (http://dotnetfollower.com)
    Wednesday, July 20, 2011 2:02 AM
  • Yes...It works with MultipleLookField as well.

    Do you have a application page or web part?

     

     

    Wednesday, July 20, 2011 10:12 AM