Unauthorized exception even after using SPSecurity.RunWithElevatedPrivileges

In various cases while developing custom web parts or controls for SharePoint we have to use the SPSecurity.RunWithElevatedPrivileges construct to execute some part of the code which needs elevated permissions or which cannot be run with the current user permissions. For example, updating a SPWeb object or SPList object needs elevated permissions.

If you are getting an unauhtorized access exception even after using this block then the reason could be as follows:

While using this construct: You cannot use the objects available through the Microsoft.SharePoint.SPContext.Current property. That is because those objects were created in the security context of the current user.

So the best practice for using the SPSecurity.RunWithElevatedPrivileges is to get the SPSite/SPWeb objects using the SPContext.Current and then create the SPSite and SPWeb objects seperately. See the code below:

 

SPSite siteColl = SPContext.Current.Site;
SPWeb site = SPContext.Current.Web;
SPSecurity.RunWithElevatedPrivileges(delegate() {
  using (SPSite ElevatedsiteColl = new SPSite(siteColl.ID)) {
    using (SPWeb ElevatedSite = ElevatedsiteColl.OpenWeb(site.ID)) {
        //Code to execute
    }
  }
});

The following code is wrong:

SPSecurity.RunWithElevatedPrivileges(delegate() {
    SPSite siteColl =    SPContext.Current.Site;
    SPWeb site = SPContext.Current.Web;
 //Code to execute

});

4 Responses

  1. Even if you use the last block of code, you can run into unauthorized errors. I’ve had to experience that at a project, and finally found out why:
    the RunWithElevatedPrivilege method, works in the context of the Application Pool Identity of the webapplication.
    The client had used a “least-privileged user” as the Application pool identity, and therefor even the RunWithelevatedPrivilege method failed.
    We now always use impersonation of a designated account (which role is set to be a Site Collection Administrator), to do things, the logged-on user isn’t allowed to do according to his role.

    Hopes this helps other developers in their struggle of getting things working…😉

    Johan

    PS: when using impersonation, also create a new object (SPSite, SpWeb) inside the impersonated code block as mentioned in this article.

  2. I agree. That is one another possibility where you can unauthorized exception. Thanks for the detailed input. I will add it to the article just in case ppl miss it.

  3. I have written a web service and used the SPSecurity.RunWithElevatedPrivileges to access a list to do some operations. But when I access that web service through the application, it asks for user name and password. Ideally it should not ask for user name and password. Please tell me – what should I have to do so that user name and password will not be asked for accessing the web service?

  4. […] “Access Denied” exception even after using SPSecurity.RunWithElevatedPrivileges for users with Read Access Posted on April 29, 2010 by Rinkal Parikh Recently i was having the issue of “Access is Denied” exception in my Custom WebParts for the users who are having only Read Access in the portal. After a long search, I found a solution. https://sharenotes.wordpress.com/2008/09/04/unauthorized-exception-even-after-using-spsecurityrunwith… […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: