Maik van der Gaag

Maik van der Gaag

I am Microsoft Azure MVP, Speaker and Father.

Using SPSecurity.RunWithElevatedPrivileges()

2 minute read

The last time I have been receiving questions about using SPSecurity.RunWithElevatedPrivileges in a SharePoint webpart. This made me think and I thought by myself lets write a short post with some examples about this subject.

When you want to build a webpart that will be used by anonymous or read only users you often have to use RunWithElevatedPriviledges because a lot of objects in a SharePoint site require more rights. If you use RunWithElevatedPriviledges you will run a particular action under a account that has more rights in SharePoint.

I hear you asking under what account do we run this particular code then? The answer is the application pool account of your web application.

Now we know that we can write some examples to see what will work. Let’s begin with an example how you should not use RunWithElevatedPriviledges.

 SPWeb web = SPContext.Current.Web;

 SPSecurity.RunWithElevatedPrivileges(delegate()
 {
    SPList list = web.Lists["Test"];
 });

In this example we get the current web object from the SPContext. This means we have got a web object that runs under the account that we are logged in with. After we have got the web object we use RunWithElevatedPriviledges because read only users can not access the list.

If we would run this code in a webpart we will see an access denied message, all because we use a web object that is retrieved with our current context.

Let’s take a look at an example how you could do it the right way (this is the way I mostly use RunWithElevatedPriviledges):

Guid webID = SPContext.Current.Web.ID;
 Guid siteID = SPContext.Current.Site.ID;

 SPSecurity.RunWithElevatedPrivileges(delegate()
 {
    using (SPSite site = new SPSite(siteID))
    {
       using(SPWeb web = site.AllWebs[webID])
       {
          SPList list = web.Lists["Test"];
       }
    }
 });

In this example you can see that we first retrieve the ids of the site collection and the web so that we know which site object and web object we want to work with.

We then use RunWithElevatedPriviledges and retrieve the SPSite and SPWeb within the RunWithElevatedPriviledges. These objects will then run under the account of the application pool.

I hope this post will you guys out there and please fill free to leave comments.

You May Also Enjoy

Getting started with deployment stacks

7 minute read

Since June this year, a new functionality in public preview called deployment stacks. Deployment stacks are Azure resources that enable you to manage a group...

Verified commits in GitHub

5 minute read

Git commits can be signed by using a GPG key. With this GPG key, you can prove that a specific commit comes from you. Doing this will also add a ‘Verified’ b...