SharePoint 2010 更改 RunWithElevatedPrivileges 的上下文
我有 2 个网站集,我们称它们为 A 和 B。在 AI 中,有一个我想要在多个网站集之间同步的一些内容的列表。我创建了一个自定义内容查询 Web 部件来查询数据,但遇到了障碍。
由于用户级别帐户根本无权访问站点 A,并且我不希望他们在任何级别访问此站点,因此当我的 Web 部件在站点 B 上运行时,我收到访问被拒绝错误。一种更改 RunWithElevatedPrivileges 工作上下文的方法?
我当前从网站集 B 运行的代码看起来像
ClientContext clientContext = new ClientContext(siteAUrl);
SP.List oList = clientContext.Web.Lists.GetByTitle(listName);
CamlQuery query = new CamlQuery();
//Add View, Execute Query, etc.
return results;
如果我将其包装在 SPSecurity.RunWithElevatedPrivileges 中,它将在网站集 B 上下文中以提升的方式运行,而我宁愿它在网站集 A 上下文中运行。
I have 2 Site Collections, lets just call them A and B. In A I have a list of some content that I want to syncdicate across multiple site collections. I have created a custom content query web part that queries the data but I am running into a road block.
Because the user level accounts don't have access to Site A at all, and I don't want them to have access to this site at any level, I get an access denied error when my web part runs on site B. Is there a way to change the context through which RunWithElevatedPrivileges works?
My current code which runs from site collection B looks like
ClientContext clientContext = new ClientContext(siteAUrl);
SP.List oList = clientContext.Web.Lists.GetByTitle(listName);
CamlQuery query = new CamlQuery();
//Add View, Execute Query, etc.
return results;
If I wrap this in SPSecurity.RunWithElevatedPrivileges it runs with elevated within the site collection B context where I would rather it run within the Site collection A context.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
SharePoint 2010 客户端对象模型不支持
SPSecurity.RunWithElevatedPrivileges。正如 @Nat 所说,此调用将线程标识恢复到应用程序池帐户 (SystemAccount)。由于您的代码在客户端上运行,因此无法将身份恢复到应用程序池帐户。通过客户端对象模型作为系统帐户运行代码会打开安全漏洞。每个人都可以以管理员身份编写和执行代码。
如果您的代码在服务器上运行,您可以使用
SPUserToken.SystemAccount使用系统帐户凭据打开SPSite:查看我的博客文章 如何打开 SPS 站点使用系统帐户凭据了解更多信息。
The SharePoint 2010 client object model does not support
SPSecurity.RunWithElevatedPrivileges. As @Nat states this call reverts the thread identity to the application pool account (SystemAccount). Since you're code runs on the client, the identity can not be reverted to the application pool account.Running code as system account via the client object model would open a security hole. Everybody could write and execute code as an administrator.
If your code runs on the server, you can use the
SPUserToken.SystemAccountto open aSPSitewith the system account credentials:Check out my blog post How to Open a SPSite with System Account Credentials for more information.
请记住,SPSecurity.RunWithElevatedPrivileges 正在应用程序池帐户的安全上下文中运行代码。
因此,除非您在不同的 Web 应用程序中运行网站集,否则它们将具有相同的上下文。即所有被调查事物的主人。
如果您跨网站集运行,应用程序池帐户将规定其他 Web 应用程序的权限。
Remember that SPSecurity.RunWithElevatedPrivileges is running the code in the sercurity context of the application-pool account.
Thus unless you are running site collections in different webapplications, they will have the same context. i.e. master of all that is surveyed.
If you are running across site collections, the application pool account will dictate the permissions on the other web application.