locked
SPSecurity.RunWithElevatedPrivileges not working for updating "Created by" field by normal user RRS feed

  • Question

  • Hello folks

    I have created a visual web part with an Ajax panel, that allows normal users to create a list entry just by filling in a text box on the web part and clicking "submit". This is used for the users to ask questions (Q&A).

    This currently works well, however I now need to make the web part create the list entries with a different user (can be system account or whatever), so that questions can be asked anonymously.

    What I'm trying to do is to change the "Created by" field to whatever user is configured in the web part properties, which is for example the server farm account.

    This works, when logged in as a user with full control permissions. However, as a normal user it doesn't. I tried to do the update within a SPSecurity.RunWithElevatedPrivileges block but still the "Created By" field does not get updated. There is no error, such as permission denied. Also there is no exception. The field simply does not get updated and the original author (the normal user) remains in the created by.

    When I give full control to the normal user, it will work and the created by field gets updated. When removing full control, it stops working.

    The code block where I do the update:

    if (ParentWebPart.postAsAnonymous)
    {
        SPSecurity.RunWithElevatedPrivileges(delegate()
        {
                    currentWeb.AllowUnsafeUpdates = true;
    
                    SPUser fakeUser = currentWeb.EnsureUser(ParentWebPart.userSubstitute);
    
                    string fakeUserFormatted = fakeUser.ID + ";#" + fakeUser.Name;
    
                    newQuestion["Author"] = fakeUserFormatted;
    
                    newQuestion.Update();
    
                    currentWeb.AllowUnsafeUpdates = false;
    
        });
    }

    Isn't RunWithElevatedPrivileges supposed to give full control?

    Thanks

    Friday, April 13, 2012 12:22 PM

Answers

  • Did you make sure to use AllowUnsafeUpdates = true ?

    If that does not work then try disabling the form digest validation

    currentWeb.Site.WebApplication.FormDigestSettings.Enabled = false;

    and after executing the code

    currentWeb.Site.WebApplication.FormDigestSettings.Enabled = true;


    Amit

    • Marked as answer by Qiao Wei Thursday, April 19, 2012 9:50 AM
    Friday, April 13, 2012 3:12 PM

All replies

  • How are you creating currentWeb instance? Are you using SPContext for this? You probably will know but SPContext wont work well with RunWithElevatedPrivileges approach.

    Also give the following approach a try

    http://www.matchpointcommunity.com/blog/Posts/37/how-to-open-a-spsite-with-the-system-account-in-sharepoint-2010


    Amit

    Friday, April 13, 2012 12:36 PM
  • Hello Amit

    The currentWeb instance is created like this:

    using (SPWeb currentWeb = SPContext.Current.Site.OpenWeb(SPContext.Current.Web.ID))
    {
    //...

    So I am not 100% sure whether I am using SPContext or not :) (clearly it is used, but it is not directly assigned).

    Friday, April 13, 2012 12:43 PM
  • Try the following
    SPWeb web = SPContext.Current.Web;
    
    SPSecurity.RunWithElevatedPrivileges(delegate()
                {
                    using (SPSite currentSite = new SPSite(web.Site.Url))
                    {             
                        using (SPWeb currentWeb = currentSite.OpenWeb())
                        {
    		        // YOUR CODE HERE	
    	            }
    	
                    }
    });


    Amit

    Friday, April 13, 2012 1:02 PM
  • Interesting: Doing it this way throws a SPException:

    The security validation for this page is invalid. Click Back in your Web browser, refresh the page, and try your operation again.

    The exception is thrown when doing newQuestion.Update();

    Friday, April 13, 2012 2:31 PM
  • Did you make sure to use AllowUnsafeUpdates = true ?

    If that does not work then try disabling the form digest validation

    currentWeb.Site.WebApplication.FormDigestSettings.Enabled = false;

    and after executing the code

    currentWeb.Site.WebApplication.FormDigestSettings.Enabled = true;


    Amit

    • Marked as answer by Qiao Wei Thursday, April 19, 2012 9:50 AM
    Friday, April 13, 2012 3:12 PM