本文來自網絡(http://www.sharepointblogs.com/tanujashares/archive/2007/08/07/impersonation-in-sharepoint-2007.aspx):
在進行SharePoint編程時,有時需要修改List中的某一個Item,但是當前的登錄用戶沒有權限對該List修改,那麼在編程時一般可以通過兩種方式來進行,下面就是這兩種方法的介紹:
Impersonation in SharePoint 2007
SharePoint security model makes it easy to programmatically execute code within the current user context.
Just write and deploy web part / event handler code and it runs in the security context of the logged in user. There are even built-in functions that take advantage of the user's security context - such as GetSubwebsForCurrentUser() - without requiring any extra coding on our part which is simple yet effective security mechanism.
But there are situations when the code needs to be executed with permissions greater than that of the current user (like instantiating a site collection or enumerating list permissions or reading a lookup / configuration list on which user may not have access rights).
In such situations, the code needs to be executed with elevated permission level or under the context of user with higher permissions i.e. Impersonation.
So here are the two approaches for u ----
方法一 Executing code as another named user
When we create a SharePoint site programmatically using the Microsoft.SharePoint namespace, we can supply a user token which enables you to create objects in the context of a specific user. You can impersonate a user by supplying the user token for that user, obtained from the Microsoft.SharePoint.SPUser object. The user token, SPUserToken, is a binary object that contains the identification and domain group membership of a user.
This allows you to use the Microsoft.SharePoint.SPSite constructor to instantiate a site collection object that runs as if that user was making changes.
SPSite site = new SPSite("SiteCollection_Url");
SPWeb web = site.OpenWeb();
SPUser user = web.AllUsers["User_Name"]; // User_Name一般可以使用 SHAREPOINT/system
SPUserToken token = user.UserToken;
SPSite impersonatedSiteCollection = new SPSite("SiteCollection_Url", token);
(........ 修改前使用web.AllowUnsafeUpdates = true; 修改結束之後在賦值爲false
注意此時的用戶已經是SHAREPOINT/system,而不是當前登錄用戶,可以調用web.CurrentUser查看
)
Any objects (SPWeb, SPList, etc) that you create from this impersonated site collection will execute as the impersonated user.
This Approach is useful to run any code which requires specific permissions to execute that code (like permission for reading a particular list), rather than having a full control access permission.
In such a case, service account can be created by specific access rights just sufficient enough to execute the code.
Although impersonation provides a powerful new technique for managing security, it should be used with care to make sure that unwanted activity is not performed by users who shouldn't have the ability to impersonate.
方法二 Executing code with elevated privileges
Elevation of privilege is a new feature of that enables you to programmatically perform actions in code using an increased level of privilege. The Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges method enables you to supply a delegate that runs a subset of code in the context of an account with higher privileges than the current user.
For example:
1. Define a public method that acts simply as a front end to the method that does the "real" work.
public void ProcessMethod()
{
SPSecurity.CodeToRunElevated elevatedMethod = new SPSecurity.CodeToRunElevated( ProcessMethodAsElevated);
SPSecurity.RunWithElevatedPrivileges(elevatedMethod);
}
The code uses a method from SPSecurity to indicate the name of the method that will run with Full Control(Basically using Application Pool Account).
In the first line, simply pass in the name of the method as the parameter. In the second line, you execute that method with elevated privileges.
2. Now create the method that does the real work. It is called by the first method (delegate), but executes with Full Control(under Application Pool Account):
private void ProcessMethodAsElevated()
{
//code goes here to do our work
}
We can also implement this method by creating dummy delegate method within a code.
SPSecurity.RunWithElevatedPrivileges(
delegate()
{
//code goes here to do our work
});
This approach can be used in scenarios to read or update Site Collection, Site related objects using Full control in event handlers, features or web parts (i.e. code being executed under SharePoint Context.
In this approach, we can't use any SharePoint objects that were created outside the method or else the impersonation won't work.
We also can't use anything like SPControl.GetContextWeb(Context) because that also blows the impersonation out of the water.
Instead, we can tweak it like SPSite site = new SPSite(SPControl.GetContextSite(Context).ID). (注意使用new SPSite, 並使用using 以便使用完畢後銷燬)In this case, we are instantiating a new SPSite object and only using the GUID of the current site. i.e. recreation of the SPSite object with new permissions.
Also, we should dispose of the SPSite object created within the RunWithElevatedPrivileges() before exiting the scope, because that SPSite will still have the SHAREPOINT/system identity even outside of the RunWithElevatedPrivileges() scope.
RunWithElevatedPrivileges() has no effect when running in a standalone exe.
----Tanuja