Re: User Impersonate error

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Ryan Chomiak (ryan.chomiak_at_N0SpamPL3A5Eoyster.com)
Date: 04/20/04 

Date: Tue, 20 Apr 2004 02:35:36 -0700

"Ryan Chomiak" <ryan.chomiak@N0SpamPL3A5Eoyster.com> wrote in
news:#1QwOQsCEHA.3256@TK2MSFTNGP09.phx.gbl:

> Hi,
>
> I'm trying to impersonate a user using the code the can be found in
> the sharepoint SDK under 'Handling document library events'. I've
> dropped in the c# version ok but I find the that it does not work for
> what I want to do.
>
> I want users with contributor sharepoint roles to be able to add a
> fellow user to the system using the following code:
>
> WindowsImpersonationContext wic =
> CreateIdentity("admin","testdomain","password").Impersonate();
>
>
> SPWeb spSite =
> SPControl.GetContextSite(Context).AllWebs[AreaManager.GetSystemAreaGuid
> (Port alContext.Current, SystemArea.Home)];
>
> SPRole spRole = spSite.Roles[ddSpRole.SelectedItem.Value]; //this will
> be either a contributor or a reader role.
>
> spRole.AddUser(domain+cn,mail,fullname,usernotes);
>
> When running this code fragment I get a "security validation for this
> page is incorrect. click back in your browser and try the operation
> again." error.
> I find that the windows impersonisation seems to have the login
> properties but has the isauthenitcated property set to false.
> What I dont understand is that whilst a user is supposed to be
> impoersonated as an administrator account, that the httpcontext user
> property is still set to the user before the impersonation occured?
> Could this be why this code fragment fails?
> Should/can the httpcontext be reset for the current impersonated
> windows user?
>
> Thanks in advance,
> Ryan
>
>
>

Foolowing a request for a follow up on my progress I thought I'd post
this...

I fixed this just yesterday! The fix seems somewhat convoluted and but it
did not involve impersonation.
 
The problem I found with impersonation is that although you impersonated
ok, the impersonated user was not authenticated in the http context and I
could not get around this. Also, even though the user was impersonated
but not authenticated, sharepoint still knew that the current user
accessing a web was the previous user before impersonation.
 
Basically the only user that had the right to add a user was the domain
admin. After playing around with sharepoint permissions and masking I
found that sharepoint only allows adding users by using permissions
making. See the code I used below:
SPSite spSite = SPControl.GetContextSite(Context);

spSite.AllowUnsafeUpdates = true;

spSite.CatchAccessDeniedException = true;

SPWeb spWeb = spSite.RootWeb;

SPMember spMember = spWeb.Roles["Contributor"];

spWeb.Permissions[spMember].PermissionMask = SPRights.FullMask;

SPRole spRole = spWeb.Roles["Contributor"];

spRole.AddUser(username,mail,fullname,usernotes);

spWeb.Dispose();

spSite.Dispose();

The most important section is the PermissionMask. I've granted full
rights to the contributor role.
To get this working I initially placed a full rights mask on the whole
contributor role but you can tweak the rights and roles to your liking as
well as only applying to individual users if needed.
 
It's important to note that if a user does not have an existing
permissions mask for what they want to do they will not be able to
promote themselves to a higher level of access mask or promote other
users. By attempting to promote themselves you will run into the same
authorisation login issue. Initially a user such as the domain admin must
create a user, drop them into a role and apply this mask first. Only then
will that user created be able to add users based on their mask.
 
To further confuse things :-( the mask you apply (on initial inspection)
seems to bare no resemblance to the permissions you apply to a role
within the sharepoint front-end. If a contributor has a full access mask
them still seem to retain their sharepoint access permissions. This mask
only seems to be relevant at a coding level.
 
Hopefully someone from MS could explain this further at some point to
explain this further, or maybe clarify my understanding.
 
Thanks,
Ryan

Relevant Pages

  • RE: Security issue while creating a Personal View programmatically
    ... For an easy approqach to impersonation, ... Microsoft FrontPage MVP ... > creates a personal view through sharepoint then this ... > public static string GetSearchView ...
    (microsoft.public.sharepoint.windowsservices)
  • Re: Going from anonymous security to Windows Security in an ASP.NET application
    ... "integrate" a public website, with a Windows Authenticated website, where we ... impersonation, which takes place on the server has no effect on page ... them sharepoint information, etc. e.g. from this point on their web ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Get a list of all top level WSS sites in SPS?
    ... you'll have to do extended impersonation as you're going into an area of the object model that regular impersonation can't do. ... I agree SharePoint navigation can be improved but it'll never satisfy everyone's needs. ... level WSS or Team Sites. ...
    (microsoft.public.sharepoint.portalserver.development)
  • Re: Web Part development pops up a logon screen and gives no acces
    ... account (and other developers acct). ... > and then use impersonation to "switch" them to a regular sharepoint ...
    (microsoft.public.sharepoint.portalserver.development)
  • Re: VS.NET 2005 and the "allowDefinition=MachineToApplication" error
    ... Your description of impersonation is great. ... If you want to use the default configured account, eliminate that entry, or configure it as: ... The easiest way to assign correct permissions to all required directories is to run: ... I re-started IIS and tried to access my ASPX page again -- same ...
    (microsoft.public.dotnet.framework.aspnet)