레이아웃 폴더에 응용 프로그램 페이지 웹 응용 프로그램 개체에 액세스합니다

Question

레이아웃 폴더에 배포 된 응용 프로그램 페이지가 있습니다.

앱 페이지의 URL은 다음과 같습니다.

• http://server:port/sc2/_layouts/test/mypage.aspx

  이제 읽기 전용 권한이있는 사용자가 있습니다 (방문자 그룹에 추가).사용자는이 사이트 모음 (SC2)과 다른 장소가 추가되지 않습니다.

  코드는 사이트 모음 01 (동일한 웹 응용 프로그램에서)에 액세스하고 해당 사이트 모음의 목록에 액세스합니다.사용자는 사이트 모음 01에 대한 권리 / 권한이 없습니다.

  여기에 앱 코드가 있습니다.

   SPSite site = SPContext.Current.Site.WebApplication.Sites[0];
  
      SPWeb rootWeb = site.RootWeb;
  
                          SPList spList = rootWeb.Lists.TryGetList("myList");
                          if (spList != null)
                          {
                              SPQuery qry = new SPQuery();
                              qry.Query =
                              @"   <OrderBy>
        <FieldRef Name='Created' Ascending='False'/>
     </OrderBy>";
                              qry.ViewFields = @"<FieldRef Name='Title' /><FieldRef Name='Col2' />";
                              SPListItemCollection listItems = spList.GetItems(qry);
                              if (listItems.Count > 0)
                              {
                                  MyDiv.InnerHtml = listItems[0]["Col2"].ToString();
                              }
                          }
  

  .

  이 사용자로 PC에 로그인 할 때 (읽기 권한 만 있음) 코드가 성공적으로 실행됩니다.RunWitheLevatedPrivileDges를 사용하지 않으므로 오류가 발생하지 않아야합니까?

  라인 1에 예외를 던져서 더 진행하지 않아야합니다.

Answer 1

The code is correct and is fine! when accessing aspx pages on the server its not running under app pool account its running under nt authenticated account which should be your own! how do i know? i use aspx on layouts page all the time and giving/dening app pool account access would not effect it! a good expample would be two users.. one site collection admin and another a normal user.

collection admin would be able to access the file fine where the normal user would get access denied... both as tweytjens makes out should have read access but they dont! why? becasue if you dont add the user group within the webapplication(within central admin) users list as read access you dont get access to the files on 12/14/15 hive! having runwithelevated privlages surrounding the code within the aspx means the code would run under applicaiton pool account!!! having code that returns your username within the aspx would firmly show that im correct and tweytjens answer is wrong! under appoolaccount youll get system account and without it if you have access youll get the nt authenticated account which should be the account you logged in with!

that aside.... to explain what is going on..

say i have root site called site1 and i have sub sites site2 and site3. I break inheritance from site2 and give a user read permission only on site2.

So you shouldnt have access to the site http://site1 but should be able to get to http://site1/site2 without getting an access denied.

the reason why you can get to site2 is that you now have limmited access on site1 to be able to get to site2.

The Limited Access permission level is unusual. It enables a user or group to browse to a site page or library in order to access a specific content item. Typically, the user has been given access to a single item in a list or library, but does not have permission to open or edit any other items in the library. The limited Access permission level includes all the permissions that the user requires to access the required item.

You cannot assign Limited Access permission level directly to a user or group. Instead, you assign appropriate permission to the single item, and then SharePoint automatically assigns Limited Access to other required locations.

http://office.microsoft.com/en-gb/products/understanding-permission-levels-HA102772313.aspx?CTT=5&origin=HA102771919

more on permissions explained in detail

http://office.microsoft.com/en-gb/office365-sharepoint-online-enterprise-help/introduction-control-user-access-with-permissions-HA102771919.aspx#_Toc352060310

EDIT

central admin -> application managment -> manage web applications -> click on web application -> click on user policy

that is a list of users that would have access to the webapplication level. _layouts is at that level so for a user to have access would be at that level.

runwith elevated privlages would make the current account run as system app pool account. without runwith elevated privlages you would run under your normal account but would require read access under the web applicaition level otherwise you get access denied!

for your site access issue that has todo partly with above and also partly with the fact that there is limmited access policy inplace that is set by sharepoint!.

EDIT

yes i have already outlined why! sharepoint gives restricted read access so you can get to sitecolection 2 URL otherwise you wouldnt be able to. Running on server has nothing todo with it! the code is run under nt authenticated user! and defnaltly not app pool account!!

Just becasue code is run under the server doesnt mean its run under app pool account! the only way that happens is if you set runwithelevatedprivlages otherwise you would be giving all users unnessary access! To prove my point!

within your aspx.cs add the following code, it will show you the current user... it is this user that the current context is being used and it is this user that is used to access the site and _layouts files within hive!

protected override void OnLoad(EventArgs e)
{
    base.OnLoad(e);
    string strUserName = SPContext.Current.Web.CurrentUser.LoginName;
    Label l = new Label();
    l.id = "userID";
    l.Text = strUserName;
    this.Controls.Add(l);
}

If you see system account than its app pool account.... if you see a normal user account than its not running under app pool! If it is running under app pool account than you should be worried as your giving unnessary access that is aginst best practice.

how do i also know it runs under nt authenticated account? well just try and access the file as annoymous :) youll get access denied... for that you need impersonation as not even elevated privlages work!

SharePoint -access to path is denied

Answer 2

Since the code is on an .aspx page, the code runs on the server and it will run with the credentials of the application pool account under which this application runs and not under the client credentials as e.g. Silverlight or Javascript client side code would do.

Answer 3

No code shouldn't throw any exceptions.. since user has Read permissions, and I hope the List is also inheriting permissions from site, that means user has Read permissions on List as well..

Thus if you try to add an item in the List, it should throw exception.. Reading / Querying won't throw any exceptions..

UPDATE

Actually the other answer seems to be right

Permissions for application pages are normally set within the application page itself, using the RightsRequired property.

Here's a comprehensive blog post about Application Page security: http://blog-sharepoint.blogspot.com/2011/10/sharepoint-application-page-security.html

Also have a look at:

Securing SharePoint Application Pages