Tags

,

. I’ve used the method for this previously in the solution,BreakRoleInheritance(false), so that no inherited roles are copied, but then this was done on a POST request and now it should do almost the same during a GET request, that is when the user navigates to the page.

All this is done under elevated privileges and looks something like this

SPSecurity.RunWithElevatedPrivileges(delegate() {
  using (SPSite site = new SPSite(url)) {
    using (SPWeb web = site.OpenWeb(url.Replace(site.Url, string.Empty))) {
      web.AllowUnsafeUpdates = true;
      Guid guid = web.Lists.Add(name, string.Empty, SPListTemplateType.DocumentLibrary);
      SPList list = web.Lists[guid];
      ...
      list.BreakRoleInheritance(false);
      ...
      list.Update();
    }
  }
});

This gives me the following error when running during a GET request.

“Updates are currently disallowed on GET requests. To allow updates on a GET, set the ‘AllowUnsafeUpdates’ property on SPWeb.”

If I rewrite the code and change the BreakRoleInheritance(false) to BreakRoleInheritance(true) and set the AllowUnsafeUpdates to true once again it works fine and I have to manually get rid of all the roles.

Why is it so?

If you step through the code in the working sample you will see that after the BreakRoleInheritance(true) line the AllowUnsafeUpdates property of the SPWeb object has changed to false. The AllowUnsafeUpdates property will reset to false whenever any ISecurable object changes their role definitions, and in the BreakRoleInheritance method you have a call to an internal function that invalidates the SPWeb object which resets the AllowUnsafeUpdate property.

The exception is then thrown after breaking the role inheritance and when the method tries to remove the roles from the list. I initially thought that it was the other way around and therefore was a bit confused.

So the correct way is this:

SPSecurity.RunWithElevatedPrivileges(delegate() {
  using (SPSite site = new SPSite(url)) {
    using (SPWeb web = site.OpenWeb(url.Replace(site.Url, string.Empty))) {
      web.AllowUnsafeUpdates = true;
      Guid guid = web.Lists.Add(name, string.Empty, SPListTemplateType.DocumentLibrary);
      SPList list = web.Lists[guid];
      ...
      docLib.BreakRoleInheritance(true); //Exception throw here when the parameters is "false"
      web.AllowUnsafeUpdates = true;
      SPRoleAssignmentCollection roleAssigns = docLib.RoleAssignments;
      for (int i = roleAssigns.Count-1; i >= 0; i--)
     {
        roleAssigns.Remove(i);
      }
      list.Update();
    }
  }
}};

Reference:
http://www.wictorwilen.se/Post/BreakRoleInheritance-and-AllowUnsafeUpdates.aspx
http://www.delphi-ts.com/blogs/lozzi/2008/10/31/TheSecurityValidationForThisPageIsInvalid.aspx

Advertisements