Monday, December 1, 2014

Access Denied within SPSecurity.RunWithElevatedPrivileges

I never thought that SPSecurity.RunWithElevatedPrivileges gives an error "Access Denied". But yes, i see it in my below scenario.

I was doing an operation within an item event receiver which required higher level of access to update the web level information. Since this was to be executed irrespective of the access of the user logged in, i had the code to be executed within the SPSecurity.RunWithElevatedPrivileges. Unexpectedly the code was failing and throwing an error "Access Denied".

The below code executes well and fine for the users who has Full Control on a web but gives a "Access Denied' error for contributors or readers though the code is wrapped in SPSecurity.RunWithElevatedPrivileges.
public override void ItemCheckedIn(SPItemEventProperties properties)
{
            base.ItemCheckedIn(properties);
            SPSecurity.RunWithElevatedPrivileges(delegate()
            {
                         SPWeb web = properties.Web;
                         var listItem = properties.ListItem;
                          if (!listItem.Title.Equals(web.Title))
                          {
                                    web.AllowUnsafeUpdates = true;
                                    web.Title = listItem.Title;
                                    web.Update();
                                    web.AllowUnsafeUpdates = false;
                           }
             }
}
In the above code web.Update() throws an exception "Access Denied" Though the code is executing under RunWithElevatedPrivileges. Because the code doesn't really execute under elevated privileges as the respective object SPWeb was not created within the SPSecurity.RunWithElevatedPrivileges but it is retrieved through the receiver context properties.Web, which is created before elevated privileges. Hence the elevated privileges cannot be applied to that object.

The solution for this problem is very simple. Create the objects which are being used to perform some operations with in the SPSecurity.RunWithElevatedPrivileges.
public override void ItemCheckedIn(SPItemEventProperties properties)
{
          base.ItemCheckedIn(properties);
          SPSecurity.RunWithElevatedPrivileges(delegate()
          {                 
                 var listItem = properties.ListItem;
                 using (SPSite site = new SPSite(properties.Site.ID))
                 {
                        using (SPWeb web = site.OpenWeb(properties.Web.ID))
                        {     
                               if (!listItem.Title.Equals(web.Title))
                              {
                                    web.AllowUnsafeUpdates = true;
                                    web.Title = listItem.Title;
                                    web.Update();
                                    web.AllowUnsafeUpdates = false;
                              }
                        }
                 }
           }
}
In this case created a SPWeb object with in elevated previliges though it is available as properties.Web.