Why does RunwithElevatedPriviliges not work in Event Handlers?

  • Article

In SharePoint one of the most used methods is - "RunWithElevatedPriviliges". The common understanding of this method is that - Wrap this delegate around any method you want to run under the context of the app pool user's identity and hence with full permission.

But there are some subtle details which are required to properly use this method. Without knowing the details I guess we end up abusing the "RunWithElevatedPriviliges" method rather than using the method.

Lets go into the detail of how this method actually works. This method internally uses the age old, trusted way of impersonation - WindowsIdentity.Impersonate(). The "RunWithElevatedPriviliges" method was introduced in MOSS 2007 to make impersonation use easy. Now lets understand the intricate requirements for this method to be used properly:-

1. Always use new objects which are within the context of the call. Do not use any object which is outside the scope of the context. In other words, I mean that never use objects from SPContext rather create them using GUID's or other ways within the method call.

E:g. You can get the SPSite or SPWeb object's reference by getting it from SPContext. But for the method - "RunWithElevatedPriviliges" try using the object's created inside the delegate call. Use the objects as shown below (Check The bold text below):-

SPWeb webInUserContext = SPContext.Current.Web;
SPSite SiteInUserContext = SPContext.Current.Site;
Guid webGuid = webInUserContext.ID;
Guid siteGuid = SiteInUserContext.ID;

SPSecurity.RunWithElevatedPrivileges(delegate()

{
// get the site in impersonated context
using (SPSite site = new SPSite(siteGuid))

    {
// get the web in the impersonated context
SPWeb web = site.OpenWeb(webGuid);
// Do your work here  

                web.Dispose();
}

});

The main reason for doing so is to ensure that all the objects are in the context of the App Pool's identity. This is extremely important to ensure the above point. (And I know that there is very little documentation on this point)

Now lets come to the main point - "RunWithElevatedPriviliges" - With Event Handlers. Normally we make use of the ItemEventProperties object to get the SPSite/SpWeb object. And even if we try to create new objects within the "RunWithElevatedPriviliges" method, we would not be able to get the context of the App Pool identity.

Just Remember one thing:- You can't use "RunWithElevatedPriviliges" with event handlers and the reason is the - ItemEventProperties object. And here is not the end of the problems - you can't even use Windows.Impersonate() as well.

The only workaround which would work here is - Explicit Impersonation. Create a SPUser object for the administrator, get SPToken of the user and then use this token to open the SPSite object using this token.

Sample code is below:-

SPUser user = web.AllUsers["kci\\sp_prodapppool"];

SPUserToken token = user.UserToken;

SPSite kciSite = new SPSite(site.Url, token);

SPWeb kciWeb = kciSite.OpenWeb();

 

Happy Coding :)