ItemAdded event running with user permissions (SharePoint 2010)

sharepoint.stackexchange https://sharepoint.stackexchange.com//questions/43075

  •  09-12-2019
  •  | 
  •  

Question

My understanding is/was that by default asynchronous event receivers ran under system permissions, while synchronous event receivers run under user permissions -- and that ItemAdding is synchronous, ItemAdded is asynchronous. Now I'm encountering a permissions issue using the ItemAdded event and I'm not sure if I've gotten this all wrong.

I have a feature which, amongst other things, deploys an ItemAdded event receiver. It's a super simple event receiver that just takes the listItemId and fills a custom column with that number once the item has been added.

I have several users who have edit permissions on the list, and several who don't. When an item is added under an account with edit permissions, the event receiver does its intended job. When an item is added by a user without edit permissions, it fails. When debugging, the SPItemEventProperties show the UserDisplayName and the UserLoginName. When the code hits properties.ListItem.Update() I get an UnauthorizedAccessException.

If it matters: this list has a custom content type and a custom list definition deployed through the same feature, and is created programmatically when the feature is activated. The items that appear in the list are created programmatically on ItemAdding.

I know I could put in an impersonation step and I might have to in order to get this working quick enough, but I'd really like to understand where I'm going wrong with my train of thought here. Am I completely wrong about how ItemAdded is run, am I missing a setting somewhere, or what?

Things I've tried: explicitly defining my ItemAdded event receiver as asynchronous in the CAML, adding a list item non-programmatically to check it wasn't a quirk of adding items in ItemAdding, debugging as users with and without edit permissions to check it was really the update failing, trying both a visual studio deploy and a wsp deploy.

I'll add code if people request specific bits, but right now I'm not really sure what's relevant and it might just be a problem with my understanding anyway! Feel stupid asking this but I'm stuck :)

Was it helpful?

Solution

Asynchronous events still run in the context of the user that triggered the event, your initial assumption is incorrect.

Hopefully you are actually impersponating and not just using the RunwithElevatedPrivilege delegate to side security.

Take a good read of this and understand the implication of RWEP:http://www.danlarson.com/best-practices-for-elevated-privilege-in-sharepoint/

Licensed under: CC-BY-SA with attribution
Not affiliated with sharepoint.stackexchange
scroll top