SharePoint v3:忘掉模拟用户Impersonate,SPSecurity.RunWithElevatedPrivileges来了
转自:http://westart.blog.enorth.com.cn/article/217988.shtml
SharePoint v3:忘掉模拟用户Impersonate,SPSecurity.RunWithElevatedPrivileges来了
回顾:
在SharePoint V2 大家应该都用过模拟用户Impersonate这个功能,
这个功能用来暂时提升某个用户的权限,比如某个普通用户的本来不能修改某个列表的值,但是我们功能需要在修改。
缺点:
我们使用这个模拟用户功能时候,经常是明文保存用户名密码,是个安全隐患。
更加气愤的是,据我所知,在匿名用户访问状态下面,根本不能够模拟成功。
V3解决办法:
Elevation of Privilege
Elevation of privilege is a new feature of that enables you to programmatically perform actions in code using an increased level of privilege. The Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges method enables you to supply a delegate that runs a subset of code in the context of an account with higher privileges than the current user.
A standard usage of RunWithElevatedPrivileges is:
SPSecurity.RunWithElevatedPrivileges(delegate()
{
// do things assuming the permission of the "system account"
});
Frequently, to do anything useful within SharePoint you'll need to get a new SPSite object within this code to effect the changes. For example:
SPSecurity.RunWithElevatedPrivileges(delegate()
{
using (SPSite site = new SPSite(web.Site.ID))
{
// do things assuming the permission of the "system account"
}
});
Although elevation of privilege provides a powerful new technique for managing security, it should be used with care. You should not expose direct, uncontrolled mechanisms for people with low privileges to circumvent the permissions granted to them.
注意:
SPSite要在代码块里面创建,而不能使用当前的SPSite
// Uses the App poll creds with the SPUser's identity reference of user
SPSecurity.RunWithElevatedPrivileges(delegate()
{
// Gets a new security context using
using (SPSite site = new SPSite( SPContext.Current.Site.ID ))
{
using (SPWeb thisWeb = site.OpenWeb())
{
thisWeb.AllowUnsafeUpdates = true;
SPItem item = //web.GetListItem(this.Page.Request.Url.ToString());
thisWeb.GetList(ListName).GetItemById(ID);
item[FieldName] = (item[FieldName] == null) ? 1 : (double)item[FieldName] + 1;
item.Update();
writer.Write("Visited Counter. Current:(" + item[FieldName].ToString() + ")");
}
}
});
运行那一段代码的用户是应用程序池的用户,(在IIS里面设置,避免了明文保存)
注意要关闭SPSite /SPWeb ,可以参考: http://msdn2.microsoft.com/en-us/library/aa973248.aspx
结束:
经过测试,匿名用户也能成功。我的浏览计数功能就使用了该段代码。
MSDN参考:
Elevation of Privilege : http://msdn2.microsoft.com/en-us/library/aa543467.aspx
Best Practices: Using Disposable Windows SharePoint Services Objects