回顾:
在SharePoint V2 大家应该都用过模拟用户Impersonate这个功能,
这个功能用来暂时提升某个用户的权限,比如某个普通用户的本来不能修改某个列表的值,但是我们功能需要在修改。
缺点:
我们使用这个模拟用户功能时候,经常是明文保存用户名密码,是个安全隐患。
更加气愤的是,据我所知,在匿名用户访问状态下面,根本不能够模拟成功。
V3解决办法:
Elevation of Privilege
Elevation of privilege is a new feature of that enables you to programmatically perform actions in code using an increased level of privilege. The Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges method enables you to supply a delegate that runs a subset of code in the context of an account with higher privileges than the current user.
A standard usage of RunWithElevatedPrivileges is:
SPSecurity.RunWithElevatedPrivileges(delegate()
{
// do things assuming the permission of the "system account"
});
Frequently, to do anything useful within SharePoint you'll need to get a new SPSite object within this code to effect the changes. For example:
SPSecurity.RunWithElevatedPrivileges(delegate()
{
using (SPSite site = new SPSite(web.Site.ID))
{
// do things assuming the permission of the "system account"
}
});
Although elevation of privilege provides a powerful new technique for managing security, it should be used with care. You should not expose direct, uncontrolled mechanisms for people with low privileges to circumvent the permissions granted to them.
注意:
SPSite要在代码块里面创建,而不能使用当前的SPSite
// Uses the App poll creds with the SPUser's identity reference of user
SPSecurity.RunWithElevatedPrivileges(delegate()
{
// Gets a new security context using
using (SPSite site = new SPSite( SPContext.Current.Site.ID ))
{
using (SPWeb thisWeb = site.OpenWeb())
{
thisWeb.AllowUnsafeUpdates = true;
SPItem item = //web.GetListItem(this.Page.Request.Url.ToString());
thisWeb.GetList(ListName).GetItemById(ID);
item[FieldName] = (item[FieldName] == null) ? 1 : (double)item[FieldName] + 1;
item.Update();
writer.Write("Visited Counter. Current:(" + item[FieldName].ToString() + ")");
}
}
});
运行那一段代码的用户是应用程序池的用户,(在IIS里面设置,避免了明文保存)
注意要关闭SPSite /SPWeb ,可以参考: http://msdn2.microsoft.com/en-us/library/aa973248.aspx
结束:
经过测试,匿名用户也能成功。我的浏览计数功能就使用了该段代码。
MSDN参考:
Elevation of Privilege : http://msdn2.microsoft.com/en-us/library/aa543467.aspx
Best Practices: Using Disposable Windows SharePoint Services Objects
以前在编写基于域认证的SharePoint站点时,都没有意识到代码的执行权限问题,因为我基本上都是以管理员身份来登录的。现在把网站认证改为Forms认证以后,一般的用户并不是网站的管理员,导致有些控件会遇到拒绝访问的情况。一个例子是:假如一个普通的Internet用户要往一个Document library来进行写入操作的话就会被拒绝访问。
{
byte[] file = 。。。。。; //get byte array
SPSite site = new SPSite("url");
SPWeb web = site.OpenWeb("url");
SPFolder lib = web.folders["libName"];
SPFileCollection files = lib.Files;
files.Add("fileName", file); //access denied
}
同样的代码如果用户是网站管理员就没有这个权限问题。
那么解决方案是什么呢?我们需要提升这段代码的权限,而不管当前的用户是不是有足够的权限。从SharePoint SDK中看到可以这样做:
SPSecurity.RunWithElevatedPrivileges(ElevatedWriteToLibrary);
这样就把我们的方法的权限提高到了系统帐号的高度,问题就解决了。
如果用到SPSite对象的话,则一定要在这个方法内部来创建,不可以用SPContext.Current.Site,不然没有效果.