Sharepoint Forum

Ask Question   UnAnswered
Home » Forum » Sharepoint       RSS Feeds


  Asked By: Tanya    Date: Aug 18    Category: Sharepoint    Views: 660

OK, here is my situation. I have a WSS top level site and subsites are
created beneath it. Not all users will be users of the top site, but a
given user may have access to multiple subsites.

I am creating a web part that lists the user's 'checked out files.' I
couldnt get Query to select on the "Checked Out To" column, so I resorted to
leafing through the documents on a site, seeing if it is checked out, and if
it is if it is checked out to the user and if it is, putting it on the list
to display.

Everything was working well on a given site, however the feature I am trying
to do is to show all the files checked out, on any site they have access to.
There comes my problem.

So I am sitting in subsite 'a' as user 1, I don't have access to the top
level site, but I do have access to subsite b, but perhaps not subsite c.
If I try to get the top level site, I think I am getting exceptions

So I impersonate the app pool owner, then I start throwing exceptions next
time I access a web.



7 Answers Found

Answer #1    Answered By: Laura Walker     Answered On: Aug 18

I recently ran into the same problem, and went back through the discussions here and found a thread discussing this in great detail. I've pulled out the snippet that really helped me figure it out from Todd:

I suspect that you are crossing into one of the three other application
domains that SharePoint creates. You may want to look at my original
Using Credential-less Impersonation SharePoint Advisor article:
http://mssharepoint.advisorguide.com/doc/16238. Failing that, you will
need to create your own app  Domain or Web Service so that the current
http context has no influence on the security  context in which your code
runs. Check out Maurice Prather's blog, SharePoint Thoughts:

Answer #2    Answered By: Gopal Jamakhandi     Answered On: Aug 18

BTW, if you want the thread of the other conversation, just e-mail me and I'll zip it up for you. I didn't want to re-post it here.

Answer #3    Answered By: Kristina Cox     Answered On: Aug 18

Yes, please send me that other conversation. I have already used the
credentialless-impersonation and it works fine in some other code of mine.
Specifically, when I go to create a site, I impersonate  the AppPoolOwner.

I am now using it in this code to get all the checked  out documents, and the
problem I have (I think) is re-establishing context after the impersonation.
Or should I say could be the problem. It could also be that somehow my
system account is not authorized on these subsites, but I see that as
improbable as it created them.

Answer #4    Answered By: Sheena Ray     Answered On: Aug 18

I will look at these in hopes they help.

Answer #5    Answered By: Jaime Weaver     Answered On: Aug 18

One of the tasks on my TODO list is to prove that an approach bandied
about amongst my contemporaries a few months ago either works or doesn't

I wonder (out loud now) if we can avoid creating  a secondary app  Domain
or web  Service just to get a new security  context by combining the two
approaches that I have found helpful in most SharePoint situations.

Here is the idea, first drop out of the current IIS impersonation for
the current user  using the 'UseAppPoolIdentity' method of my Reverter
class. Then impersonate  the System account using the 'UseSystemAccount'
method of my Reverter class. Perform the task that requires God-mode
access and then call the 'UndoSystemAccount' method immediately followed
by the 'ReturnToImpersonatingCurrentUser' method. This requires that the
assembly has Full trust and I don't know that this will work but, it
seems worth a try. I'm just plumb out of time (2:07AM here in Orlando
and I have to get up to teach in just a few hours).

Answer #6    Answered By: Damon Garner     Answered On: Aug 18

Ok, I have an update, I've used the code that had the extra line to ensure the App Pool account was being impersonated, and we've been running the web  parts in production for about a month now, after about 2 weeks of UAT testing, and everything is working  well.

Answer #7    Answered By: Karla Morrison     Answered On: Aug 18

Wish I understood why that second line is necessary in some settings. If
anyone has suggestions as to why it may be required, I'd love to hear

Didn't find what you were looking for? Find more on Security Or get search suggestion and latest updates.