ConfigStore and SPSecurity issues

Feb 20, 2009 at 3:50 PM
Hi Chris

I've created a web part which depending of the logged user fetches data from 3 different lists and presents that data. All 3 lists have different permissions set and there are part of the users that even don't have read permissions on the lists. When I started to work on the web part few properties (like lists URL's) were hardcoded and everything worked fine. When the web part was finished and working as expected I decided to move those few properties (hardcoded URL's) to the Config store list and retrieve them later. In this moment my nightmare begun :).
What ever I tried I was getting Access Denied when trying to access the GetValue method of ConfigStore class except when I was logged as SharePoint System Account.
When I looked at your code I saw that you are using SPSecurity.RunWithElevatedPrivileges method to retrieve the values of the configuration settings. As I can see now this is not doing the right thing.
Have you ever had experience/problem like this?

I am curious to check if my way of accessing SharePoint objects will do the trick cause it worked until I started to use Config store. Just as a quick explanation this is how I deal with the security issues on the SharePoint objects:

Before accessing object that on which I might get AccessDenied I am opening the SPSite with passing the System Account user token aka

SPUser user = SPContext.Current.Web.AllUsers[@"SHAREPOINT\SYSTEM"];
SPUserToken adminToken = user.UserToken;

and then open the SPSite where all code is executed with elevated privileges

using (SPSite site = new SPSite(, adminToken))
        using (SPWeb web = site.OpenWeb())
                // do something useful here...

I want to try and change your code to see if it will work like this but don't want to do the same in the future when new version of ConfigStore is released.

Please take a look at my suggestion if you have time.
Thanks again for the great implementation.