Application page in layouts folder accessing web application object
https://sharepoint.stackexchange.com//questions/95825
-
10-12-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
There is an application page, deployed to the layouts folder.
The URL of the app page is:
http://server:port/sc2/_layouts/test/mypage.aspx
Now, there is a user with read only permissions (added to visitors group). User is added only on this site collection (sc2) and no other place.
The code makes access to site collection 01 (on same web application), and accesses a list on that site collection. The user doesnot have any right/permission on the site collection 01.
Here is the code of app page:
SPSite site = SPContext.Current.Site.WebApplication.Sites[0];
SPWeb rootWeb = site.RootWeb;
SPList spList = rootWeb.Lists.TryGetList("myList");
if (spList != null)
{
SPQuery qry = new SPQuery();
qry.Query =
@" <OrderBy>
<FieldRef Name='Created' Ascending='False'/>
</OrderBy>";
qry.ViewFields = @"<FieldRef Name='Title' /><FieldRef Name='Col2' />";
SPListItemCollection listItems = spList.GetItems(qry);
if (listItems.Count > 0)
{
MyDiv.InnerHtml = listItems[0]["Col2"].ToString();
}
}
When we log into the PC as this user (with only read permissions) we notice that the code gets run successfully. Should it not throw error because we are not using RunWithElevatedPriviledges?
I feel it should throw exception on line 1 and not proceed further.
Solution
The code is correct and is fine! when accessing aspx pages on the server its not running under app pool account its running under nt authenticated account which should be your own! how do i know? i use aspx on layouts page all the time and giving/dening app pool account access would not effect it! a good expample would be two users.. one site collection admin and another a normal user.
collection admin would be able to access the file fine where the normal user would get access denied... both as tweytjens makes out should have read access but they dont! why? becasue if you dont add the user group within the webapplication(within central admin) users list as read access you dont get access to the files on 12/14/15 hive! having runwithelevated privlages surrounding the code within the aspx means the code would run under applicaiton pool account!!! having code that returns your username within the aspx would firmly show that im correct and tweytjens answer is wrong! under appoolaccount youll get system account and without it if you have access youll get the nt authenticated account which should be the account you logged in with!
that aside.... to explain what is going on..
say i have root site called site1 and i have sub sites site2 and site3. I break inheritance from site2 and give a user read permission only on site2.
So you shouldnt have access to the site http://site1 but should be able to get to
http://site1/site2 without getting an access denied.
the reason why you can get to site2 is that you now have limmited access on site1 to be able to get to site2.
The Limited Access permission level is unusual. It enables a user or group to browse to a site page or library in order to access a specific content item. Typically, the user has been given access to a single item in a list or library, but does not have permission to open or edit any other items in the library. The limited Access permission level includes all the permissions that the user requires to access the required item.
You cannot assign Limited Access permission level directly to a user or group. Instead, you assign appropriate permission to the single item, and then SharePoint automatically assigns Limited Access to other required locations.
more on permissions explained in detail
EDIT
central admin -> application managment -> manage web applications -> click on web application -> click on user policy
that is a list of users that would have access to the webapplication level. _layouts is at that level so for a user to have access would be at that level.
runwith elevated privlages would make the current account run as system app pool account. without runwith elevated privlages you would run under your normal account but would require read access under the web applicaition level otherwise you get access denied!
for your site access issue that has todo partly with above and also partly with the fact that there is limmited access policy inplace that is set by sharepoint!.
EDIT
yes i have already outlined why! sharepoint gives restricted read access so you can get to sitecolection 2 URL otherwise you wouldnt be able to. Running on server has nothing todo with it! the code is run under nt authenticated user! and defnaltly not app pool account!!
Just becasue code is run under the server doesnt mean its run under app pool account! the only way that happens is if you set runwithelevatedprivlages otherwise you would be giving all users unnessary access! To prove my point!
within your aspx.cs add the following code, it will show you the current user... it is this user that the current context is being used and it is this user that is used to access the site and _layouts files within hive!
protected override void OnLoad(EventArgs e)
{
base.OnLoad(e);
string strUserName = SPContext.Current.Web.CurrentUser.LoginName;
Label l = new Label();
l.id = "userID";
l.Text = strUserName;
this.Controls.Add(l);
}
If you see system account than its app pool account.... if you see a normal user account than its not running under app pool! If it is running under app pool account than you should be worried as your giving unnessary access that is aginst best practice.
how do i also know it runs under nt authenticated account? well just try and access the file as annoymous :) youll get access denied... for that you need impersonation as not even elevated privlages work!
OTHER TIPS
Since the code is on an .aspx page, the code runs on the server and it will run with the credentials of the application pool account under which this application runs and not under the client credentials as e.g. Silverlight or Javascript client side code would do.
No code shouldn't throw any exceptions.. since user has Read permissions, and I hope the List is also inheriting permissions from site, that means user has Read permissions on List as well..
Thus if you try to add an item in the List, it should throw exception.. Reading / Querying won't throw any exceptions..
UPDATE
Actually the other answer seems to be right
Permissions for application pages are normally set within the application page itself, using the RightsRequired property.
Here's a comprehensive blog post about Application Page security: http://blog-sharepoint.blogspot.com/2011/10/sharepoint-application-page-security.html
Also have a look at:
