SPSecurity.RunWithElevatedPrivileges and Access Denied error on event receiver

April 2nd, 2009 | Categories: C#, Programming, SharePoint | Tags:

After looksing half a day for a st00pid mistake I have to write about this to warn anyone that might run into similar problem.

In VS I’ve prepared a custom event receiver which needed to be run as system account (for performing actions that the user running the event receiver doesn’t have – like setting permissions, creating subwebs,…)

So my code began with something lilke that:

public override void ItemUpdated(SPItemEventProperties properties)
        {
            base.ItemUpdated(properties);
            _properties = properties;

            //povišamo pravice na sistemski račun in zaženemo private metodo
            SPSecurity.RunWithElevatedPrivileges(doSomethingWithThis);
        }

        private void doSomethingWithThis()
        {

            SPSite site = new SPSite(_properties.SiteId);
            SPWeb web = site.OpenWeb(_properties.RelativeWebUrl);
            SPListItem item = web.Lists[_properties.ListItem]

after running it and tracing the error I’ve always received “Access denied” error. How come, if I’m running the code with elevated privileges. Do I need even a higher privilege?

After countless attempts to impersonate an administrator or app pool account (I’m still a rookie at this), I’ve discovered that the SPItemEventProperties are instantiated with privileges of user that triggered the event receiver. The error was in my last line (of the example above) — _properties.ListItem still holds the rights of the original user. so fixed my code to

public override void ItemUpdated(SPItemEventProperties properties)
        {
            base.ItemUpdated(properties);
            _properties = properties;

            //povišamo pravice na sistemski račun in zaženemo private metodo
            SPSecurity.RunWithElevatedPrivileges(ustvariPonudbaSubsite);
        }

        private void ustvariPonudbaSubsite()
        {

            SPSite site = new SPSite(_properties.SiteId);
            SPWeb web = site.OpenWeb(_properties.RelativeWebUrl);
            SPListItem item = web.Lists[_properties.ListId].GetItemById(_properties.ListItem.ID);

With that change I’ve open the SPListItem object as system account and magically everything started working as it should! The same goes for site and web object. If you need to run actions with elevated privileges on SPSite and SPWeb object use

new SPSite(_properties.SiteId);
and
site.OpenWeb(_properties.RelativeWebUrl)

instead of

_properties.web
and
web.site;

Leave a comment | Trackback
  1. Becky Bertram
    September 9th, 2009 at 18:53
    Reply | Quote | #1

    Thanks, Boris! This saved me a lot of time today.

  2. Boris Gomiunik
    September 15th, 2009 at 23:23
    Reply | Quote | #2

    Glad you found it useful :)

  3. phil shisbey
    April 12th, 2010 at 20:01
    Reply | Quote | #3

    You’re a genius. Thanks!

  4. KevinHou
    May 21st, 2010 at 22:27
    Reply | Quote | #4

    Awesome! Worked like a champ. How did you discover this? Was this documented somewhere.

  5. ehaze
    June 9th, 2010 at 22:40
    Reply | Quote | #5

    Thank you!
    wish i would have found this post 8 hours ago…