Access denied when trying to read information about SharePoint groups
I am trying to get the membership of a group in WSS 3.0. I am doing this in an elevated permissions block. Here is the code:
SPSecurity.RunWithElevatedPrivileges(delegate() { using (SPSite site = new SPSite(SPContext.Current.Site.ID)) { using (SPWeb rootWeb = site.RootWeb) { SPGroup gAdmins = rootWeb.SiteGroups["Admins"]; } } });
I get taken to the "access denied" SharePoint screen when I run this code. The group exists. The identity of the application pool for the web application is in the dbo role in the content database. The code works on my development server, but not on another server, which leads me to believe there is something wrong with the permissions or configuration on this server, maybe something in dcomcnfg?
Here are some lines from the SharePoint log that seem to be related:
PermissionMask check failed. asking for 0x08000000, have 0x00000000 Unknown SPRequest error occurred. More inf开发者_运维技巧ormation: 0x80070005 Access Denied for /Pages/UserAdmin.aspx. StackTrace: Microsoft.SharePoint.Utilities.SPUtility:Void HandleAccessDenied(System.Exception), Microsoft.SharePoint.SPGlobal:Void HandleUnauthorizedAccessException(System.UnauthorizedAccessException), ....
[UserAdmin.aspx hosts my custom web part containing the code]
The problem in this line of your code "SPSite site = new SPSite(SPContext.Current.Site.ID)" Get the Site.ID outside the RWEP scope and then create the SPSite object by passing that ID. The problem is because SPContext.Current is for the actual user and if you try to access that under RWEP it may give you problems or unexpected errors.
It looks like this was happening because I was running in elevated privileges. This is a non-extended FBA site, which means that domain accounts do not and cannot have any access to it. When you run in elevated privileges, you run as the app pool identity, which is typically a domain account. WSS then throws an error because you have suddenly switched from a FBA user to a domain user who has no access to the site.
If you extend the site to use Windows Authentication in addition to FBA, you can grant access to the site to the domain user and it should work.
精彩评论