SharePoint v3: Forget the simulated user impersonate, spsecurity. runwithelevatedprivileges to improve SharePoint code Permissions

Review:

You should have used it in SharePoint V2.Simulate user impersonateThis function,

This function is used to temporarily improve the permissions of a user. For example, a common user cannot modify the value of a list, but our function must be modified.

Disadvantages:

We use thisSimulate userWhen using this function, the user name and password are often stored in plain text, which is a security risk.

Even more angry is that, as far as I know, under the access status of anonymous users, it cannot be simulated successfully.

V3 solution:

Elevation of Privilege

Elevation of Privilege is a new feature of that enables you to programmatically perform actions in code using an increased level of privilege. the Microsoft. sharepoint. spsecurity. runwithelevatedprivileges method enables you to supply a delegate that runs a subset of code in the context of an account with higher privileges than the current user.

A standard usageRunwithelevatedprivilegesIs:

Spsecurity. runwithelevatedprivileges (delegate ()

{

// Do things assuming the permission of the "System Account"

});

Frequently, to do anything useful within SharePoint you'll need to get a new spsite object within this code to effect the changes. For example:

Spsecurity. runwithelevatedprivileges (delegate ()

{

Using (spsite site = new spsite (Web. Site. ID ))

{

// Do things assuming the permission of the "System Account"

}

});

Although Elevation of Privilege provides a powerful new technique for managing security, it shoshould be used with care. you shoshould not expose direct, uncontrolled mechanisms for people with low privileges to circumvent the permissions granted to them.

 

Note:

The spsite must be created in the code block instead of the current spsite.

// Uses the app poll creds with the spuser's identity reference of user

Spsecurity. runwithelevatedprivileges (delegate ()

{

// Gets a new security context using

Using (spsite site = new spsite (spcontext. Current. Site. ID ))

{

Using (spweb thisweb = site. openweb ())

{

Thisweb. allowunsafeupdates = true;

Spitem item = // web. getlistitem (this. Page. Request. url. tostring ());

Thisweb. getlist (listname). getitembyid (ID );

Item [fieldname] = (item [fieldname] = NULL )? 1: (double) item [fieldname] + 1;

Item. Update ();

 

Writer. Write ("visited counter. Current :(" + item [fieldname]. tostring () + ")");

}

}

});

The user who runs the code is the user of the application pool (set in IIS to avoid saving in plaintext)

To disable spsite/spweb, see: http://msdn2.microsoft.com/en-us/library/aa973248.aspx

End:

After testing, anonymous users can also succeed. This section of code is used in my browser count function.

 

Msdn reference:

Elevation of Privilege: http://msdn2.microsoft.com/en-us/library/aa543467.aspx

Best practices: using disposable Windows SharePoint Services objects

In the past, when writing a domain-based SharePoint site, I was not aware of the Code Execution permission issue, because I basically logged on as an administrator. After the website authentication is changed to Forms authentication, the general user is not the website administrator, and some controls may be rejected. For example, if an Internet user wants to write data to a document library, the access is denied.

Public void writetolib ()
{
Byte [] file = .....; // Get byte array
Spsite site = new spsite ("url ");
Spweb web = site. openweb ("url ");
Spfolder Lib = web. folders ["libname"];
Spfilecollection files = Lib. files;
Files. Add ("FILENAME", file); // Access Denied
}

The same Code does not have this permission if the user is a website administrator.
So what is the solution? We need to improve the permissions of this Code, regardless of whether the current user has sufficient permissions. From the SharePoint SDK, we can see that:

Spsecurity. codetorunelevated elevatedwritetolibrary = new spsecurity. codetorunelevated (writetolib );
Spsecurity. runwithelevatedprivileges (elevatedwritetolibrary );

In this way, the permission of our method is raised to the system account level, and the problem is solved.
If the spsite object is used, it must be created inside the method. spcontext. Current. site cannot be used, otherwise it will not work.