MSDN Magazine - February 2008 - (Page 58)

Figure 3 Impersonating a WSS User Identity SPWeb siteCollection = SPContext.Current.Site; SPWeb site = SPContext.Current.Web; // get SPUser object and acquire token SPUser targetUser = site.SiteUsers[@”LITWAREINC\BrianC”]; SPUserToken token = targetUser.UserToken; // create new SPSite and SPWeb object to impersonate user using (SPSite impersonatedSiteCollection = new SPSite(siteCollection.ID, token)) { using (SPWeb impersonatedSite = impersonatedSiteCollection.OpenWeb(site.ID)) { // WSS identity switched to impersonate BrianC // Windows identity does not change } } Why does this sample code fail after you have elevated the WSS user identity to SHAREPOINT\System? It has to do with when the SPSite object was created. The permissions in effect on an SPSite object and its child SPWeb objects do not depend on the current WSS user identity. Instead, the permissions depend on the WSS user identity at the time the SPSite object is created. Here, the SPSite object accessible through SPContext.Current was created earlier in the request, before your code had a chance to switch its WSS user identity. Thus, the technique you should use requires that you create a new SPSite object after you have called RunWithElevatedPrivileges and elevated WSS user identity to SHAREPOINT\System: SPSecurity.RunWithElevatedPrivileges(delegate() { using (SPSite elevatedSiteCollection = new SPSite(this.Site.ID)) { using (SPWeb elevatedSite = elevatedSiteCollection.OpenWeb(this.Web.ID)) { // access elevatedSiteCollection and //elevatedSite as SHAREPOINT\System } } }); is different than a call to RunWithElevatedPrivileges because it does not change the current Windows identity. If, for example, a request is running under the Windows identity of LITWAREINC\ SP_WorkerProcess before you impersonate a WSS user, the code continues to run under the same Windows identity. WSS user impersonation does not change the current Windows identity over to the identity of the impersonated user. It is also important to point out that code must be running in a privileged state in order to impersonate another user. This isn’t something you have to worry about in an event handler or a custom workflow template since the code is running as SHAREPOINT\ System by default. However, code inside a Web Part or behind a custom application page might need to call RunWithElevatedPrivileges before it even has the ability to impersonate another WSS user identity. The real power in configuring WSS security involves the flexibility afforded by securable objects, such as sites, lists, and list items. Each securable object can contain an Access Control List (ACL), which is a binary data structure that WSS uses at run time to determine whether a security principal has been granted access. By default, the only securable object that has an ACL is the top-level site. Child objects (such as list, list items, and child site) all inherit the ACL of their parent unless they break the inheritance and thereby provide a unique ACL of their own. The WSS object model contains an interface named ISecurableObject that models a securable object within a WSS site collection (see Figure 4). The ISecurableObject interface, which is implemented by SPWeb objects, SPList objects, and SPItem objects, provides a basis for conducting access checks at run time as well as for configuring permissions. As you begin to configure permissions within a site collection, it’s important to understand that all of the sites, lists, and list items make up a single hierarchy of securable objects. By default, just the top-level site contains a unique ACL and defines permission-level assignments that dictate what permissions users have to access objects. All child objects inherit their permissions from the top-level site. However, you can be more granular about configuring access control by giving a securable object its own unique set of permis- Securable Objects This makes it possible to open a site collection and the sites within so that your code can access objects as SHAREPOINT\System. You might also find it necessary to impersonate a specific WSS user identity. This is common when writing the code for an event handler or a custom workflow template where the code is running as SHAREPOINT\System by default. For example, you might want to impersonate a specific WSS user identity before creating a new object so that WSS user is recognized as the owner of the new object. In order to impersonate a WSS user identity, you must first create an SPUserToken object. You can do this by accessing the UserToken property of an SPUser object. Once you have the SPUserToken object, you can use it to create a new SPSite object using an overloaded version of the SPSite class constructor. This technique is shown in Figure 3. There are a few important things I should point out about using WSS user impersonation. First, impersonating a WSS user Figure 4 The ISecurableObject Interface 58 msdnmagazine Office Space Table of Contents for the Digital Edition of MSDN Magazine - February 2008MSDN Magazine - February 2008ContentsToolboxCLR Inside OutBasic InstinctsData PointsCutting EdgeOffice SpaceRoll Your OwnWinUnitSilverlightPIAB And WCFWF How-ToTest RunFoundations.NET Matters{End Bracket}MSDN Magazine - February 2008MSDN Magazine - February 2008 - Contents (Page Cover1)MSDN Magazine - February 2008 - Contents (Page Cover2)MSDN Magazine - February 2008 - Contents (Page 1)MSDN Magazine - February 2008 - Contents (Page 2)MSDN Magazine - February 2008 - Contents (Page 3)MSDN Magazine - February 2008 - Contents (Page 4)MSDN Magazine - February 2008 - Contents (Page 5)MSDN Magazine - February 2008 - Contents (Page 6)MSDN Magazine - February 2008 - Contents (Page 7)MSDN Magazine - February 2008 - Contents (Page 8)MSDN Magazine - February 2008 - Contents (Page 9)MSDN Magazine - February 2008 - Contents (Page 10)MSDN Magazine - February 2008 - Toolbox (Page 11)MSDN Magazine - February 2008 - Toolbox (Page 12)MSDN Magazine - February 2008 - Toolbox (Page 13)MSDN Magazine - February 2008 - Toolbox (Page 14)MSDN Magazine - February 2008 - Toolbox (Page 15)MSDN Magazine - February 2008 - Toolbox (Page 16)MSDN Magazine - February 2008 - Toolbox (Page 17)MSDN Magazine - February 2008 - Toolbox (Page 18)MSDN Magazine - February 2008 - CLR Inside Out (Page 19)MSDN Magazine - February 2008 - CLR Inside Out (Page 20)MSDN Magazine - February 2008 - CLR Inside Out (Page 21)MSDN Magazine - February 2008 - CLR Inside Out (Page 22)MSDN Magazine - February 2008 - CLR Inside Out (Page 23)MSDN Magazine - February 2008 - CLR Inside Out (Page 24)MSDN Magazine - February 2008 - Basic Instincts (Page 25)MSDN Magazine - February 2008 - Basic Instincts (Page 26)MSDN Magazine - February 2008 - Basic Instincts (Page 27)MSDN Magazine - February 2008 - Basic Instincts (Page 28)MSDN Magazine - February 2008 - Basic Instincts (Page 29)MSDN Magazine - February 2008 - Basic Instincts (Page 30)MSDN Magazine - February 2008 - Data Points (Page 31)MSDN Magazine - February 2008 - Data Points (Page 32)MSDN Magazine - February 2008 - Data Points (Page 33)MSDN Magazine - February 2008 - Data Points (Page 34)MSDN Magazine - February 2008 - Data Points (Page 35)MSDN Magazine - February 2008 - Data Points (Page 36)MSDN Magazine - February 2008 - Data Points (Page 37)MSDN Magazine - February 2008 - Data Points (Page 38)MSDN Magazine - February 2008 - Data Points (Page 39)MSDN Magazine - February 2008 - Data Points (Page 40)MSDN Magazine - February 2008 - Data Points (Page 41)MSDN Magazine - February 2008 - Data Points (Page 42)MSDN Magazine - February 2008 - Cutting Edge (Page 43)MSDN Magazine - February 2008 - Cutting Edge (Page 44)MSDN Magazine - February 2008 - Cutting Edge (Page 45)MSDN Magazine - February 2008 - Cutting Edge (Page 46)MSDN Magazine - February 2008 - Cutting Edge (Page 47)MSDN Magazine - February 2008 - Cutting Edge (Page 48)MSDN Magazine - February 2008 - Cutting Edge (Page 49)MSDN Magazine - February 2008 - Cutting Edge (Page 50)MSDN Magazine - February 2008 - Cutting Edge (Page 51)MSDN Magazine - February 2008 - Cutting Edge (Page 52)MSDN Magazine - February 2008 - Office Space (Page 53)MSDN Magazine - February 2008 - Office Space (Page 54)MSDN Magazine - February 2008 - Office Space (Page 55)MSDN Magazine - February 2008 - Office Space (Page 56)MSDN Magazine - February 2008 - Office Space (Page 57)MSDN Magazine - February 2008 - Office Space (Page 58)MSDN Magazine - February 2008 - Office Space (Page 59)MSDN Magazine - February 2008 - Office Space (Page 60)MSDN Magazine - February 2008 - Office Space (Page 61)MSDN Magazine - February 2008 - Roll Your Own (Page 62)MSDN Magazine - February 2008 - Roll Your Own (Page 63)MSDN Magazine - February 2008 - Roll Your Own (Page 64)MSDN Magazine - February 2008 - Roll Your Own (Page 65)MSDN Magazine - February 2008 - Roll Your Own (Page 66)MSDN Magazine - February 2008 - Roll Your Own (Page 67)MSDN Magazine - February 2008 - Roll Your Own (Page 68)MSDN Magazine - February 2008 - Roll Your Own (Page 69)MSDN Magazine - February 2008 - Roll Your Own (Page 70)MSDN Magazine - February 2008 - Roll Your Own (Page 71)MSDN Magazine - February 2008 - Roll Your Own (Page 72)MSDN Magazine - February 2008 - Roll Your Own (Page 73)MSDN Magazine - February 2008 - WinUnit (Page 74)MSDN Magazine - February 2008 - WinUnit (Page 75)MSDN Magazine - February 2008 - WinUnit (Page 76)MSDN Magazine - February 2008 - WinUnit (Page 77)MSDN Magazine - February 2008 - WinUnit (Page 78)MSDN Magazine - February 2008 - WinUnit (Page 79)MSDN Magazine - February 2008 - WinUnit (Page 80)MSDN Magazine - February 2008 - WinUnit (Page 81)MSDN Magazine - February 2008 - WinUnit (Page 82)MSDN Magazine - February 2008 - WinUnit (Page 83)MSDN Magazine - February 2008 - WinUnit (Page 84)MSDN Magazine - February 2008 - WinUnit (Page 85)MSDN Magazine - February 2008 - Silverlight (Page 86)MSDN Magazine - February 2008 - Silverlight (Page 87)MSDN Magazine - February 2008 - Silverlight (Page 88)MSDN Magazine - February 2008 - Silverlight (Page 89)MSDN Magazine - February 2008 - Silverlight (Page 90)MSDN Magazine - February 2008 - Silverlight (Page 91)MSDN Magazine - February 2008 - Silverlight (Page 92)MSDN Magazine - February 2008 - PIAB And WCF (Page 93)MSDN Magazine - February 2008 - PIAB And WCF (Page 94)MSDN Magazine - February 2008 - PIAB And WCF (Page 95)MSDN Magazine - February 2008 - PIAB And WCF (Page 96)MSDN Magazine - February 2008 - PIAB And WCF (Page 97)MSDN Magazine - February 2008 - PIAB And WCF (Page 98)MSDN Magazine - February 2008 - PIAB And WCF (Page 99)MSDN Magazine - February 2008 - PIAB And WCF (Page 100)MSDN Magazine - February 2008 - WF How-To (Page 101)MSDN Magazine - February 2008 - WF How-To (Page 102)MSDN Magazine - February 2008 - WF How-To (Page 103)MSDN Magazine - February 2008 - WF How-To (Page 104)MSDN Magazine - February 2008 - WF How-To (Page 105)MSDN Magazine - February 2008 - WF How-To (Page 106)MSDN Magazine - February 2008 - WF How-To (Page 107)MSDN Magazine - February 2008 - WF How-To (Page 108)MSDN Magazine - February 2008 - WF How-To (Page 109)MSDN Magazine - February 2008 - WF How-To (Page 110)MSDN Magazine - February 2008 - WF How-To (Page 111)MSDN Magazine - February 2008 - WF How-To (Page 112)MSDN Magazine - February 2008 - WF How-To (Page 113)MSDN Magazine - February 2008 - WF How-To (Page 114)MSDN Magazine - February 2008 - Test Run (Page 115)MSDN Magazine - February 2008 - Test Run (Page 116)MSDN Magazine - February 2008 - Test Run (Page 117)MSDN Magazine - February 2008 - Test Run (Page 118)MSDN Magazine - February 2008 - Test Run (Page 119)MSDN Magazine - February 2008 - Test Run (Page 120)MSDN Magazine - February 2008 - Test Run (Page 121)MSDN Magazine - February 2008 - Test Run (Page 122)MSDN Magazine - February 2008 - Foundations (Page 123)MSDN Magazine - February 2008 - Foundations (Page 124)MSDN Magazine - February 2008 - Foundations (Page 125)MSDN Magazine - February 2008 - Foundations (Page 126)MSDN Magazine - February 2008 - Foundations (Page 127)MSDN Magazine - February 2008 - Foundations (Page 128)MSDN Magazine - February 2008 - Foundations (Page 129)MSDN Magazine - February 2008 - Foundations (Page 130)MSDN Magazine - February 2008 - Foundations (Page 131)MSDN Magazine - February 2008 - Foundations (Page 132)MSDN Magazine - February 2008 - .NET Matters (Page 133)MSDN Magazine - February 2008 - .NET Matters (Page 134)MSDN Magazine - February 2008 - .NET Matters (Page 135)MSDN Magazine - February 2008 - .NET Matters (Page 136)MSDN Magazine - February 2008 - .NET Matters (Page 137)MSDN Magazine - February 2008 - .NET Matters (Page 138)MSDN Magazine - February 2008 - .NET Matters (Page 139)MSDN Magazine - February 2008 - {End Bracket} (Page 140)MSDN Magazine - February 2008 - {End Bracket} (Page Cover3)MSDN Magazine - February 2008 - {End Bracket} (Page Cover4)http://www.nxtbookMEDIA.com

For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.