This is a post that I’d imagine most people who have been developing with SharePoint will be aware of but I thought it might be worthwhile blogging about.<\/p>\n
I’ve seen code where people have tried to impersonate a user to perform actions against a SharePoint file by using the LogonUser function.<\/p>\n
\r\n[System.Runtime.InteropServices.DllImport(\"ADVAPI32.DLL\")]\r\npublic static extern bool LogonUser(String lpszUsername, String lpszDomain, String lpszPassword, int dwLogonType, int dwLogonProvider, out int phToken);\r\n<\/pre>\nWhen working with SharePoint, there is no need for this. For starters, the above function requires you to know the user’s password. Now, of course, there are good reasons why the business rules may require this and I’m not saying it shouldn’t be implemented that way. For the scenarios where this is not required, there’s a very easy and simple way of impersonating a valid SharePoint user, without having to know their password.
\n
\nOne simple way of impersonating another user is to wrap the Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges<\/em> method around your code. This will ensure all objects created within the method are executed as the application pool user. There’s no point in wrapping this around code like the following sample.<\/p>\n\r\nSPContext.Current.ListItem[\"a field\"] = \"a value\";\r\n<\/pre>\nThis will execute as the currently logged in user and not the elevated user. To run as the elevated user it’s important to open the site or web objects while inside the method.<\/p>\n
\r\nSPSecurity.RunWithElevatedPrivileges(() =>\r\n{\r\n using (SPSite site = new SPSite(SPContext.Current.Site.ID))\r\n {\r\n using (SPWeb web = site.OpenWeb(SPContext.Current.Web.ID))\r\n {\r\n SPListItem item = web.GetListItem(SPContext.Current.ListItemServerRelativeUrl);\r\n item[\"a field\"] = \"a value\";\r\n }\r\n }\r\n});\r\n<\/pre>\nBut I digress, the point of this post was to demonstrate how to impersonate a specific user and not the application pool user for the current web application.<\/p>\n
If the code above executed as the application pool user, the following will execute as the user Joe Bloggs. There is no exception handling, so obviously if the user did not exist in the site the code would fail but it shows you how to impersonate an individual user by using their token.<\/p>\n
\r\nSPUser jbloggsUser = SPContext.Current.Web.AllUsers[\"domain\\jbloggs\"];\r\nusing (SPSite site = new SPSite(SPContext.Current.Site.ID, jbloggsUser.UserToken))\r\n{\r\n using (SPWeb web = site.OpenWeb(SPContext.Current.Web.ID))\r\n {\r\n SPListItem item = web.GetListItem(SPContext.Current.ListItemServerRelativeUrl);\r\n item[\"a field\"] = \"a value\";\r\n }\r\n}\r\n<\/pre>\nThe difference with this code is with the SPSite constructor, where we pass the SPUserToken object for Joe Bloggs. The containing code will now execute as this user.<\/p>\n","protected":false},"excerpt":{"rendered":"
This is a post that I’d imagine most people who have been developing with SharePoint will be aware of but I thought it might be worthwhile blogging about. I’ve seen code where people have tried to impersonate a user to … Continue reading