Elevation of user access privileges in Moss

Today's hackers are arrogant, just because they have extraordinary privilege skills than ordinary people, "they can do anything in the world (haha, that's an exaggeration !)" Maybe New Contacts Moss Permissions may have many questions. For example, the permissions granted to ordinary employees by the company administrator are only a viewer, all users with the right to access the site have the read-only permission!) How can I improve my access permissions! With this question, I joined hands with the author to step into improving user access permissions! First, we clarify Moss Is a powerful role-based Management Office System. Careful friends should find that the permissions in the site are segmented, specific to users, sites, site sets, and lists { Document list entries, folders, files } .

Second, how should we escalate permissions.

Finally, I thought about what the privilege has to do and what the privilege has to do.MossThe various permission management in provides a management mode suitable for enterprise development!Now, let's start with the author:

1.Privilege Escalation isWindows SharePoint Services 3.0A new feature that enables you to use a higher level of privilege inCodePerform operations programmatically.

 

2.ExploitationMicrosoft. Sharepoint. spsecurity. runwithelevatedprivileges(LinkWss3.0sdk) You can grant more privileges than the current user to the delegate that runs part of the code in the account context. (However, the elevation of access permissions as an administrator must be recorded in the code.Obtain by re-instantiationSite WebObjectFor exampleThe permission obtained in the current context is still the role permission of the current user, so there is no permission improvement.)

3.Although privilege elevation provides a new and effective way to manage security, exercise caution when using it. Users with low privileges should not be exposed to direct and uncontrolled mechanisms to avoid the permissions granted to them. (This is what the author mentioned just now does)

The following is the reference code for permission escalation (the next chapter will be introduced by the authorUpload documents to SharePointThis will also be used in that time !)

//Improvement of User Access Permissions

//The following code snippet can be executed only as an administrator.Microsoft. Sharepoint. spsecurity. runwithelevatedprivileges Method, You can easily simulate the Administrator permission to run!

Public void addpepomition (int id)

{

Spsecurity. runwithelevatedprivileges (delegate ()

{

//A site object must be instantiated here. If the object is obtained using the current context spcontext, it is still the normal permission of the currently logged-on user.

Using (spsite site = new spsite ("http: // mosingserver: 8080 /"))

{

Using (spweb web = site. openweb ())//Application site web releases resources using

{

//Obtains the list selected by the user.

Splist list = web. Lists ["Microsoft product documentation "];

//You can obtain the list item ID to ensure the uniqueness of the list item.

Splistitem item = List. Items. getitembyid (ID );

//Do not inherit the parent class permission

If (! Item. hasuniqueroleassignments)

{

Item. breakroleinheritance (false );

}

//Clear all original role permissions of the List entry

Foreach (sproleassignment roleassignments in item. roleassignments)

{

//Indicates that site and Web can be updated.

Site. allowunsafeupdates = true;

Web. allowunsafeupdates = true;

Roleassignments. roledefinitionbindings. removeall ();

//Remember to update the List entries again

Item. Update ();

 

}

//Obtain the specified user under the site

Spuser authoruser = web. allusers ["mosing" "yongfengisvan"];

//Assign roles to users

Sproleassignment roleassignment = new sproleassignment (authoruser. loginname, authoruser. Email, authoruser. Name, authoruser. Notes );

//Re-define the role. Here I will give it the Administrator's role (the author sets yongfengisvan's user as the read-only permission .)

Roleassignment. roledefinitionbindings. Add (Web. roledefinitions. getbytype (sproletype. Administrator ));

Item. roleassignments. Add (roleassignment );

Item. Update ();

}

}

});

}

This code example will also be used in the next chapter, so please wait for the next chapter! Or refer to the SDK details!