SPSecurity.RunWithElevatedPrivileges and Access Denied error on event receiver

April 2nd, 2009 | Categories: C#, Programming, SharePoint

After looksing half a day for a st00pid mistake I have to write about this to warn anyone that might run into similar problem.

In VS I’ve prepared a custom event receiver which needed to be run as system account (for performing actions that the user running the event receiver doesn’t have – like setting permissions, creating subwebs,…)

So my code began with something lilke that:

public override void ItemUpdated(SPItemEventProperties properties)
        {
            base.ItemUpdated(properties);
            _properties = properties;

            //povišamo pravice na sistemski račun in zaženemo private metodo
            SPSecurity.RunWithElevatedPrivileges(doSomethingWithThis);
        }

        private void doSomethingWithThis()
        {

            SPSite site = new SPSite(_properties.SiteId);
            SPWeb web = site.OpenWeb(_properties.RelativeWebUrl);
            SPListItem item = web.Lists[_properties.ListItem]

after running it and tracing the error I’ve always received “Access denied” error. How come, if I’m running the code with elevated privileges. Do I need even a higher privilege?

After countless attempts to impersonate an administrator or app pool account (I’m still a rookie at this), I’ve discovered that the SPItemEventProperties are instantiated with privileges of user that triggered the event receiver. The error was in my last line (of the example above) — _properties.ListItem still holds the rights of the original user. so fixed my code to

public override void ItemUpdated(SPItemEventProperties properties)
        {
            base.ItemUpdated(properties);
            _properties = properties;

            //povišamo pravice na sistemski račun in zaženemo private metodo
            SPSecurity.RunWithElevatedPrivileges(ustvariPonudbaSubsite);
        }

        private void ustvariPonudbaSubsite()
        {

            SPSite site = new SPSite(_properties.SiteId);
            SPWeb web = site.OpenWeb(_properties.RelativeWebUrl);
            SPListItem item = web.Lists[_properties.ListId].GetItemById(_properties.ListItem.ID);

With that change I’ve open the SPListItem object as system account and magically everything started working as it should! The same goes for site and web object. If you need to run actions with elevated privileges on SPSite and SPWeb object use

new SPSite(_properties.SiteId);
and
site.OpenWeb(_properties.RelativeWebUrl)

instead of

_properties.web
and
web.site;