Application page in layouts folder accessing web application object

Question

There is an application page, deployed to the layouts folder.

The URL of the app page is:

http://server:port/sc2/_layouts/test/mypage.aspx

Now, there is a user with read only permissions (added to visitors group). User is added only on this site collection (sc2) and no other place.

The code makes access to site collection 01 (on same web application), and accesses a list on that site collection. The user doesnot have any right/permission on the site collection 01.

Here is the code of app page:

 SPSite site = SPContext.Current.Site.WebApplication.Sites[0];

    SPWeb rootWeb = site.RootWeb;

                        SPList spList = rootWeb.Lists.TryGetList("myList");
                        if (spList != null)
                        {
                            SPQuery qry = new SPQuery();
                            qry.Query =
                            @"   <OrderBy>
      <FieldRef Name='Created' Ascending='False'/>
   </OrderBy>";
                            qry.ViewFields = @"<FieldRef Name='Title' /><FieldRef Name='Col2' />";
                            SPListItemCollection listItems = spList.GetItems(qry);
                            if (listItems.Count > 0)
                            {
                                MyDiv.InnerHtml = listItems[0]["Col2"].ToString();
                            }
                        }

When we log into the PC as this user (with only read permissions) we notice that the code gets run successfully. Should it not throw error because we are not using RunWithElevatedPriviledges?

I feel it should throw exception on line 1 and not proceed further.

please read my answer to get a correct full understand of what is going on! — Ali Jafer, Apr 10 '14 at 09:11

score 3 · Accepted Answer · edited Apr 13 '17 at 12:41

The code is correct and is fine! when accessing aspx pages on the server its not running under app pool account its running under nt authenticated account which should be your own! how do i know? i use aspx on layouts page all the time and giving/dening app pool account access would not effect it! a good expample would be two users.. one site collection admin and another a normal user.

collection admin would be able to access the file fine where the normal user would get access denied... both as tweytjens makes out should have read access but they dont! why? becasue if you dont add the user group within the webapplication(within central admin) users list as read access you dont get access to the files on 12/14/15 hive! having runwithelevated privlages surrounding the code within the aspx means the code would run under applicaiton pool account!!! having code that returns your username within the aspx would firmly show that im correct and tweytjens answer is wrong! under appoolaccount youll get system account and without it if you have access youll get the nt authenticated account which should be the account you logged in with!

that aside.... to explain what is going on..

say i have root site called site1 and i have sub sites site2 and site3. I break inheritance from site2 and give a user read permission only on site2.

So you shouldnt have access to the site http://site1 but should be able to get to http://site1/site2 without getting an access denied.

the reason why you can get to site2 is that you now have limmited access on site1 to be able to get to site2.

The Limited Access permission level is unusual. It enables a user or group to browse to a site page or library in order to access a specific content item. Typically, the user has been given access to a single item in a list or library, but does not have permission to open or edit any other items in the library. The limited Access permission level includes all the permissions that the user requires to access the required item.

You cannot assign Limited Access permission level directly to a user or group. Instead, you assign appropriate permission to the single item, and then SharePoint automatically assigns Limited Access to other required locations.

http://office.microsoft.com/en-gb/products/understanding-permission-levels-HA102772313.aspx?CTT=5&origin=HA102771919

more on permissions explained in detail

http://office.microsoft.com/en-gb/office365-sharepoint-online-enterprise-help/introduction-control-user-access-with-permissions-HA102771919.aspx#_Toc352060310

EDIT

central admin -> application managment -> manage web applications -> click on web application -> click on user policy

that is a list of users that would have access to the webapplication level. _layouts is at that level so for a user to have access would be at that level.

runwith elevated privlages would make the current account run as system app pool account. without runwith elevated privlages you would run under your normal account but would require read access under the web applicaition level otherwise you get access denied!

for your site access issue that has todo partly with above and also partly with the fact that there is limmited access policy inplace that is set by sharepoint!.

EDIT

yes i have already outlined why! sharepoint gives restricted read access so you can get to sitecolection 2 URL otherwise you wouldnt be able to. Running on server has nothing todo with it! the code is run under nt authenticated user! and defnaltly not app pool account!!

Just becasue code is run under the server doesnt mean its run under app pool account! the only way that happens is if you set runwithelevatedprivlages otherwise you would be giving all users unnessary access! To prove my point!

within your aspx.cs add the following code, it will show you the current user... it is this user that the current context is being used and it is this user that is used to access the site and _layouts files within hive!

protected override void OnLoad(EventArgs e)
{
    base.OnLoad(e);
    string strUserName = SPContext.Current.Web.CurrentUser.LoginName;
    Label l = new Label();
    l.id = "userID";
    l.Text = strUserName;
    this.Controls.Add(l);
}

If you see system account than its app pool account.... if you see a normal user account than its not running under app pool! If it is running under app pool account than you should be worried as your giving unnessary access that is aginst best practice.

how do i also know it runs under nt authenticated account? well just try and access the file as annoymous :) youll get access denied... for that you need impersonation as not even elevated privlages work!

SharePoint -access to path is denied

you are explaining from viewpoint of a site and subsites. while my question is concerning site collections. But, thanks for typing all this. — variable, Apr 10 '14 at 09:26
Sorry but can you reframe the answer I am unable to understand. — variable, Apr 10 '14 at 09:28
I did not understand what you are trying to do when you add users to Central admin users group. — variable, Apr 10 '14 at 09:30
what i mean is, goto central admin -> application managment -> manage web applications -> click on web application -> click on user policy ;) — Ali Jafer, Apr 10 '14 at 09:38
The aspx page under layouts folder is accessible to all users who have read permissions to the site at the path of the aspx page. Example: http://server:port/sitecol1/subsite1/_layouts/test/testpage.aspx is available only to users who have read access on sitecol1. AM I right? — variable, Apr 10 '14 at 10:17
your 2nd last paragraph is wrong because although my user doesnot have read permission on list present on sitecolection1, yet he can access the list items from layouts page at sitecolection 2 URL, and that is because the aspx application page code runs on the server and it will run with the credentials of the application pool account under which this application runs and not under the client credentials, even though I am not using elevatedPriviledges as answered by @tweytjens — variable, Apr 10 '14 at 10:20
@aliSharepoint, I had this conversation with the same user yesterday. I don not think you will get through to him ;) — Robert Lindgren, Apr 10 '14 at 10:56
Robert, the thread you are talking about, would have solved my doubts if only you had mentioned that: Code on application page doesnot run in loged in users credential but on NT authenticated user account. Simple. — variable, Apr 10 '14 at 10:58
@aliSharepoint From your answer I am concluding that code on app page runs as NT authenticated user account. Whereas, Code on apppage surrounded by RunwithElevated Priviledges runs as SYSTEM account. Can you confirm. — variable, Apr 10 '14 at 11:05
finally you get it :) , iv slightly updated my answer! plus added a link from another question that i had to also explain what is going on! but hat had todo with anonymous access running under app pool account! it will give you a better understanding! — Ali Jafer, Apr 10 '14 at 11:07
@variable yes that is true! the link also explains a little on the subject :) — Ali Jafer, Apr 10 '14 at 11:08
Thanks for your patience and explanation. This piece of knowledge is for lifetime. — variable, Apr 10 '14 at 11:08
http://sharepoint.stackexchange.com/questions/95567/how-do-i-fetch-the-data-from-list-present-in-root-web-of-the-root-site-collectio Can you paste the answer there too, so I can mark it there as well — variable, Apr 10 '14 at 11:10
I just ran your OnLoad() code and I see that it is the logged in user account: servername\user01, just asking, is it possible to get the system account there? Maybe I have to add runwithelevatedpriviledges to in the OnLoad() code? — variable, Apr 10 '14 at 11:36
Also, I went to central admin -> application managment -> manage web applications -> click on web application -> click on user policy -> as you have mentioned in your answer jsut for my reference. I can see my farm users and NT AUTHORITY\LOCAL SERVICE. So by NT Authenticated user you meant this NT AUTHORITY\LOCAL SERVICE? — variable, Apr 10 '14 at 11:49
yes thats no problem! happy to help! yes you need the runwith elevated block to show system account! and yes i mean NT AUTHORITY\LOCAL SERVICE. its just me being lazy ;) — Ali Jafer, Apr 10 '14 at 12:10

Arsalan Adam Khatri · Answer 2 · 2014-04-10T07:42:30.210

1

No code shouldn't throw any exceptions.. since user has Read permissions, and I hope the List is also inheriting permissions from site, that means user has Read permissions on List as well..

Thus if you try to add an item in the List, it should throw exception.. Reading / Querying won't throw any exceptions..

UPDATE

Actually the other answer seems to be right

Permissions for application pages are normally set within the application page itself, using the RightsRequired property.

Here's a comprehensive blog post about Application Page security: http://blog-sharepoint.blogspot.com/2011/10/sharepoint-application-page-security.html

Also have a look at:

Securing SharePoint Application Pages

edited Apr 10 '14 at 07:42

answered Apr 10 '14 at 07:33

Arsalan Adam Khatri

14,531
3
36
59

please check updated question. The list is on SC01, and user has read permission on SC2 only. The user doesnot have permission to read on SC01. – variable Apr 10 '14 at 07:34
Can you make sure user don't have any access on SC01, by going to Site Settings -> Permissions -> Check User Permissions (something similar) – Arsalan Adam Khatri Apr 10 '14 at 07:36
Yes, I am also surprised. checked this. --> Permission levels given to SPuser1 (i:0#.w|myserver\myuser1) None – variable Apr 10 '14 at 07:38
1

See updated answer – Arsalan Adam Khatri Apr 10 '14 at 07:42
I get the logged in user as: myserver\myuser1, but then this user dont have permission to access the list. Anyways looks like the other answer is the solution. – variable Apr 10 '14 at 07:46

score 1 · Answer 3 · answered Apr 10 '14 at 07:39

Since the code is on an .aspx page, the code runs on the server and it will run with the credentials of the application pool account under which this application runs and not under the client credentials as e.g. Silverlight or Javascript client side code would do.

Application page in layouts folder accessing web application object

3 Answers3

Linked