Sharepoint query with elevated privileges

1
votes

A Webpart needs to access a Sharepoint List (read mode). If the user is admin, there isn't problem (works as espected), but if the user hasn't permissions to access, I must use "RunWithElevatedPrivileges" method.

The problem is that seems that the query don't return the correct results. What I'm missing?

        SPList demoList = null;

        SPSecurity.RunWithElevatedPrivileges(delegate()
        {
            SPSite oSite = SPControl.GetContextSite(HttpContext.Current); // ADDED
            SPWeb oWeb = oSite.OpenWeb();                                 // ADDED
            demoList = oWeb.Lists["nameList"];
        });
        // demoList has 3 Elements (admin and no admin user) OK

        SPListItemCollection collListItems = null;

        SPSecurity.RunWithElevatedPrivileges(delegate()
        {
            SPQuery oQuery = new SPQuery() { Query = "<OrderBy><FieldRef Name='Date' Ascending='False' /></OrderBy>" };
            collListItems = demoList.GetItems(oQuery);
        });

        // 
        //IF ADMIN
        //collListItems.Count ==>3

        //IF NO ADMIN 
        //collListItems.Count ==>0
3
sharepointsharepoint-2010web-partselevated-privileges

3 Answers

6
votes

You need to create new object with elevated privieges.

SPSecurity.RunWithElevatedPrivileges(delegate()
{
    SPSite oSite = new SPSite(SPContext.Current.Site.ID); 
    SPWeb oWeb = oSite.OpenWeb(SPContext.Current.Web.ID);                                 
    demoList = oWeb.Lists["nameList"];
});

Also, you should dispose of the newly created objects and there is no need for two delegates.

SPSecurity.RunWithElevatedPrivileges(delegate {
    using (SPSite oSite =new SPSite(SPContext.Current.Site.ID))
    using (SPWeb oWeb = oSite.OpenWeb()) {
        var demoList = oWeb.Lists["nameList"];
        SPQuery oQuery = new SPQuery
                            { Query = "<OrderBy><FieldRef Name='Date' Ascending='False' /></OrderBy>" };
        SPListItemCollection collListItems = demoList.GetItems(oQuery);

        //IF ADMIN
        //collListItems.Count ==>3

        //IF NO ADMIN 
        //collListItems.Count ==>0
    }
});
4
votes

If you create the Site and Web objects (or access them from the current SPContext) outside the elevated block, they will have the permissions of the currently logged-in user. So your query, even though it is in an elevated block, is not using elevated permissions. You need to create new Site and Web objects inside the elevated block, then get access to the list, and then run the query to get the expected results.

Here's a resource that explains further. Even though it was done for SharePoint 2007, it applies to SharePoint 2010.

Running Commands with Elevated Privileges in Windows SharePoint Services 3.0 http://msdn.microsoft.com/en-us/library/bb466220(v=office.12).aspx

0
votes

If you want to include a write operation in SharePoint List, then add SPWeb.ValidateFormDigest() or SPUtility.ValidateFormDigest() line before RWEP Method.

SPUtility.ValidateFormDigest();
SPSecurity.RunWithElevatedPrivileges(delegate()
{

}