locked
RunWithElevatedPrivileges & AllowUnsafeUpdates RRS feed

  • Question

  •  When shall I use SPSecurity.RunWithElevatedPrivileges and when shall i set AllowUnsafeUpdates to true ?
    Monday, February 9, 2009 12:26 PM

Answers

  • If your code adds, modifies, or deletes any element of a site on behalf of users who do not have sufficient permissions to perform the operation directly, the code must include elevation of privilege via the SPSecurity.RunWithElevatedPrivileges method. ( Runs code in the security context of the System Account ).


    However, unlike code that merely reads properties of site elements, code that makes changes requires the additional step of setting the Site or Web instance’s AllowUnsafeUpdates property to true within RunWithElevatedPrivileges to update the database without security validation.


    The following example allows a potentially unsafe update to a list or its items:

    SPWeb web = list.ParentWeb;
    web.AllowUnsafeUpdates = true;


    Ayman M. El-Hattab, Microsoft Certified SharePoint Specialist, http://ayman-elhattab.blogspot.com
    Monday, February 9, 2009 12:38 PM
  • The system account is not the site administrator account but rather the account that the app pool is using.  This account has full access to the entire SharePoint application and databases. 

    The idea with the RunWithElevatedPrivelliges is that you may have a situation where you want a user to be able to do some action that they normally do not have rights to do. 

    You may for example provide a web part that allows a user to upload a file to a document library where the user normally does not have access to. I have done this in the past with an image upload web part, which automatically resized the image. This way the user did not have the ability to upload an image directly into the document library but was forced to use the web part with resized the image for use on the web.  

    In such a situation you can use the RunWithElevatedPrivelliges method to execute the upload piece of code which would otherwise be running in the context of the current user and throw and Access Denied Exception.

    THe AllowSafeUpdates needs to be turned on when using the RunWithElevatedPrivelliges because SharePoint normally does not allow updates to the database from outside of the current user's context. Since in this case you do want this to be allowed, you should TEMPORAIRLY set the AllowSafeUpdates property to false.

    A very nice and brief explanation with code sample is here http://mosschampions.com/blogs/moss/archive/2006/11/06/How-to-use-_2700_RunWithElevatedPrivileges_2700_-.aspx 
    http://jcapka.blogspot.com
    Monday, February 9, 2009 1:39 PM

All replies

  • If your code adds, modifies, or deletes any element of a site on behalf of users who do not have sufficient permissions to perform the operation directly, the code must include elevation of privilege via the SPSecurity.RunWithElevatedPrivileges method. ( Runs code in the security context of the System Account ).


    However, unlike code that merely reads properties of site elements, code that makes changes requires the additional step of setting the Site or Web instance’s AllowUnsafeUpdates property to true within RunWithElevatedPrivileges to update the database without security validation.


    The following example allows a potentially unsafe update to a list or its items:

    SPWeb web = list.ParentWeb;
    web.AllowUnsafeUpdates = true;


    Ayman M. El-Hattab, Microsoft Certified SharePoint Specialist, http://ayman-elhattab.blogspot.com
    Monday, February 9, 2009 12:38 PM
  • I need to know what is the System Account
    Is it the site collection administrator ?
    Monday, February 9, 2009 1:08 PM
  • The system account is not the site administrator account but rather the account that the app pool is using.  This account has full access to the entire SharePoint application and databases. 

    The idea with the RunWithElevatedPrivelliges is that you may have a situation where you want a user to be able to do some action that they normally do not have rights to do. 

    You may for example provide a web part that allows a user to upload a file to a document library where the user normally does not have access to. I have done this in the past with an image upload web part, which automatically resized the image. This way the user did not have the ability to upload an image directly into the document library but was forced to use the web part with resized the image for use on the web.  

    In such a situation you can use the RunWithElevatedPrivelliges method to execute the upload piece of code which would otherwise be running in the context of the current user and throw and Access Denied Exception.

    THe AllowSafeUpdates needs to be turned on when using the RunWithElevatedPrivelliges because SharePoint normally does not allow updates to the database from outside of the current user's context. Since in this case you do want this to be allowed, you should TEMPORAIRLY set the AllowSafeUpdates property to false.

    A very nice and brief explanation with code sample is here http://mosschampions.com/blogs/moss/archive/2006/11/06/How-to-use-_2700_RunWithElevatedPrivileges_2700_-.aspx 
    http://jcapka.blogspot.com
    Monday, February 9, 2009 1:39 PM