AllowUnsafeUpdates vs SPSecurity.RunWithElevatedPrivileges
https://sharepoint.stackexchange.com//questions/27990
-
07-12-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
When is the best time to web.AllowUnsafeUpdates vs SPSecurity.RunWithElevatedPrivileges? Specifically when dealing with updating an item in a list or updating the list itself.
Is it safest to use both?
What are the differences between the two when it comes to executing item.Update() or list.Update()?
La solution
The two items are not really related.
AllowUnsafeUpdates will allow changes to the content database happen on a GET request instead of a POST request. This is a very bad idea. It is very trivial to write a script to perform 1000s of GET requests per minute, which would update your content database with duplicates. The actual use cases for AllowUnSafeUpdates is very, very limited.
RWEP also has very limited use cases. The example in the previous answer is actually better solved by impersonating the system account. Use RWEP if you need to access non-SharePoint resources that are accessible by the application pool identity. If the resource is inside SharePoint, impersonating the system account will likely suffice.
In both impersonation and RWEP scenarios, you sould validate the form digest before performing any updates. Most responses on the internet omit this, advocating AllowUnsafe instead.
Autres conseils
You use SPSecurity.RunWithElevatedPrivileges when you have a piece of code which requires higher privileges than currently logged in user. For example, your code wants to check if current user belongs to "Approvers" group and Approvers group is configured such that only members of Approvers group can see the membership. You will need SPSecurity.RunWithElevatedPrivileges so that code would run even if the code is hit by a person in Visitors group. Another example, list.Update() probably requires more permissions (because it changes the list schema) than item.update() so you may need to use it while calling list.Update() AND you anticipate that your code may run by people other than site owners with full permissions.
It is important to note that if your application design is such that Visitors would never hit the code that calls list.Update() or item.Update() then you better not use it. I prefer to avoid design choices where I need SPSecurity.RunWithElevatedPrivileges.
ON the other hand, Microsoft would not allow certain updates under certain circumstances even if user has permission to do so. Microsoft is protecting us from security attacks by requiring to call AllowUnsafeUpdates to true. Check this article for detailed explanation:What You Need To Know About AllowUnsafeUpdates (Part 1)
The two are totally different things as explained here:
AllowUnsafeUpdates vs RunWithElevatedPrivileges
http://rameshsps2010.blogspot.co.uk/2011/06/allowunsafeupdates-vs.html
AllowUnsafeUpdates
Gets or sets a Boolean value that specifies whether to allow updates to the contents database as a result of a GET request or without requiring a security validation.
http://hristopavlov.wordpress.com/2008/05/16/what-you-need-to-know-about-allowunsafeupdates/
http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.spsite.allowunsafeupdates.aspx
RunWithElevatedPrivileges
Executes the specified method with Full Control rights even if the user does not otherwise have Full Control.
http://firstblogofvarun.blogspot.co.uk/2009/06/how-to-use-runwithelevatedprivileges-in.html
