RunWithElevatedPrivileges - Usage recommendations

Chris Ballance
  • RunWithElevatedPrivileges - Usage recommendations Chris Ballance

    I have a strong gut feeling that using SharePoint's RunWithElevatedPrivileges should be avoided like the plague, but need to convince some others as to exactly why. Here's what I have.

    • Spawns a new thread with elevated privileges
    • Blocks other operations until the passed delegate returns
    • Security problems (runs with a high level of priviledges, perhaps by an end user)
    • Others?

    Originally posted to Stack Overflow.

  • I'm surprised to hear your opposition to rwep. Certain tasks require the elevation of privileges and managed properly, rwep is often your best bet.

    Sure there are potential issues, but that can be said about anything. For example, the attaching of event receivers to a list can cause lists to stop working, take more resources, and forces you to update an assembly to change functionality (as opposed to SPD workflows, for example). However, that doesn't make event receivers bad, it just means you need a working brain to put it to proper use.

    So no, I can't help you with convincing others because I'm not convinced you are right.

    .b

  • I think Keith already answered that question nicely on stackoverflow

    https://stackoverflow.com/questions/1525953/sharepoint-2007-runwithelevatedprivileges-pitfalls-of-using-this

    The quirky nature of RWEP makes me prefer SPUserToken over RWEP

  • I'm using RunWithElevatedPrivileges quite a lot in code. For ex: you want to read/update lists or doc.libs where the current user doesn't have contribute access or even read access but still you want to have the web part or other view be able to send data to the user.

    There are many cases where you can't move forward without using RunWithElevatedPrivileges(), don't be afraid to use that.

  • If you are only trying to update SharePoint objects, you should impersonate the System Account, not RWEP.

  • When I started learning about RunWithElevatedPrivilege I ran in to Daniel Larson's lolcats posts...

    http://daniellarson.spaces.live.com/blog/cns!D3543C5837291E93!1977.entry

    This left me feeling the same about it as you mentioned in your opening post. So I brought the subject up at the "Ask the Experts" development panel during the SharePoint Best Practices Conference in London April 09 (which included top developers like Andrew Connell, Todd Bleeker, Andrew Woodward and Chris O'Brien). There was unanimous agreement by the panel that it was perfectly acceptable to use. Like Bjørn mentions, there are potential issues (similar to a lot of development), but once you understand how to use it there should be no issues.

Tags
runwithelevatedprivileges development
Related questions and answers
  • I am using SharePoint Server 2007 Enterprise with Windows Server 2008 Enterprise, and I am using publishing portal template. I am using SharePoint Designer 2007 to design pages. When I open the default.aspx under Pages sub-folder of a site, there are two options: Edit in Browser and Edit Page Layout. I want to know what are the differences between Edit in Browser and Edit Page Layout -- especially what is the function of Edit Page Layout, because when I select Edit Page Layout, WelcomeSplash.aspx opens in SharePoint Designer, other than default.aspx itself (very confused). thanks

  • mysubdomain.mydomain.com/sites/aaa/cc and this two sub sites have different set of user. So to summarize my question. I want to get as result of SQL query table with username (NT\login) with information about... have list of sites and sub-sites with URL's. More details: Let me describe one solution I have now. I’ve found tool Data Juggler (http://www.djuggler.com/) which can automate repetitive web tasks... this database and get list of all users which have access to site mysubdomain.mydomain.com/sites/xyz where xyz is set of sites and to complicate it more, there is also abc which represents sub-sites

  • servers and tried creating the Central Admin website on WSS3, where SharePoint already thinks it is. But for some reason SharePoint is creating the alternate access mappings using SSL, and we don't have...We have several WSS Servers: WSS1 WSS2 WSS3 WSS4 SharePoint thinks that Central Administration is on WSS3 and that it can be access via SSL on port 22641. The problem is that central administration is not there. It was removed using the config wizard. We removed central admin from all servers to clean everything out, and we tried installing Central Admin on WSS1. The alternate access mappings

  • Scenario: User has 'Contribute' rights on a List. User creates a new ListItem on this List. User should only be able to edit or delete his own ListItems. How can I define that only the Owner (Created By) should be able to edit or delete this ListItem ? I was thinking about using an xslt if-statement with: ddwrt:IfHasRights(...) 'Created By' == 'Current User' Is this correct ? Or are there easier ways to do this ? See this page for a complete overview from all Rights.

  • ) Board description (editable) My questions: What tool is most appropriate for making the forms? Infopath? SPD? VS2010? How do I handle rights to make sure only the board can access the board edit form? What kind of workflow do I use? When do I start the workflow(s)? What do I use to develop the workflow(s)? How do I handle rights when showing the listview with all requests? How can I build

  • Powershell as domain administrator (so I have rights to access domain accounts) I didn't install SQL Server 2008 KB 970315 x64, because I'm running R2 version - as I understand this is SQL Server 2008 SP2 Enabled named pipes on SQL Server 2008 R2 run New-SPConfigurationDatabase in previously opened powershell using this command: New-SPConfigurationDatabase -DatabaseName "Sharepoint2010Config...I'd really like to prepare development environment for Sharepoint 2010. This is what I did: I installed Windows 7 x64 I installed VMWare Workstation Created a VM domain controller based on Windows

  • We are using web services interface to access Excel Services. When we have two sessions that access the same spreadsheet, it looks like they see each others data. Is this how it is supposed to work? Should they not get their own copy of the spreadsheet? EDIT An example: loan calculation spreadsheet User A opens spreadsheet sets loan amount to 100 User B opens spreadsheet sets loan amount to 200 User A gets the monthly payment I expect that user A will get a monthly payment based on 100 since he is working on his copy of the spreadsheet.

  • added another server to the farm, moved the central admin with the stsadm tool, and removed the old server from the farm. Here is what I have tried: Deployed to two other farms: successfully deployed..., we were lucky enough to still have the soon to be decommisioned server that previously ran Central Admin (Server1). So, I added the server to the farm. Removed the Central Admin from the new Server...We have a server farm that is having issues deploying WSPs. The odd thing is that the server goes through all the motions of deploying the WSPs with no errors. That is, the job is scheduled

  • When I try to create a new sub site from a Publishing Site Collection, the only options I get are: Publishing Site Enterprise Wiki I want to create a "Document Centre" site definition within this Site Collection. Any ideas how to enabled this site definition as an option to pick? This all in the context of SharePoint 2010 Cheers, Anthony