I recently had my fair share of trouble when trying to edit the security of a web site through code.
Every time I executed the code, some error came up. Most of the time, it was either "Access Denied" or "The security validation for this page is invalid".
Pretty annoying stuff I thought, and searching the web didn't really help all that much ...
I ran the code using RunWithElevatedPrivileges, but that didn't help much. Neither did the SPWeb.AllowUnsafeUpdates property.
After searching for a REALLY long time, I found the answer in a blog's comment:
(http://spiderwool.blogspot.com/2006/07/security-validation-for-this-page-is.html)
SPSite.WebApplication.FormDigestSettings.Enabled = false
Finally I had found the solution.
However, after redeploying the code on a new web application, I suddenly got an Access Denied error when trying to set this property.
After some searching I found out this was due to the fact I set the application pool to run as Network Service in stead of an administrative account.
This did fix my problem, however I did not really found out the actual source of the issue ...
So, taking all this into account, here is an example of how to set a web's security through code:
public void EditSecurity()
{
SPSecurity.RunWithElevatedPrivileges(delegate()
{
using (SPSite site = new SPSite(url))
{
using (SPWeb web = site.OpenWeb())
{
SPWebApplication webApp = web.Site.WebApplication;
webApp.FormDigestSettings.Enabled = false;
web.AllowUnsafeUpdates = true;
SPGroup group = web.SiteGroups["groupname"];
SPRoleAssignment roleAssignment = new SPRoleAssignment((SPPrincipal)group);
SPRoleDefinition roleDefinition;
roleDefinition = web.RoleDefinitions.GetByType(SPRoleType.Contributor); // Gets a predefined role definition
roleDefinition = web.RoleDefinitions["customRole"]; // Gets a custom defined role definition
roleAssignment.RoleDefinitionBindings.Add(roleDefinition);
web.RoleAssignments.Add(roleAssignment);
web.Update();
web.AllowUnsafeUpdates = false;
webApp.FormDigestSettings.Enabled = true;
}
}
});
}
So, to summarize:
-
Run the code with or with Elevated Privileges.
-
Set the web application's FormDigestSettings to disabled for the time you run your code.
-
Set the AllowUnsafeUpdates of the SPWeb object to true for the time you run your code.
-
Update the web object after executing the code.
PS: If you would get an Access Denied error at the setting of the FormDigestSettings, and e.g. you cannot change the web application's application pool identity, or you just can't seem to fix it, you can run your code without setting the FormDigestSettings in it. Alternatively, you can disable the page validation in the Web Application's Generel Settings in the Central Administration. To do this, go to Central Administration --> Application Management --> Web application general settings --> Security Validation = Off
UPDATE: Also take a look at http://epham.wordpress.com/2007/01/22/how-to-fix-security-validation-errors-in-sharepoint-aspnet-page which in some cases also might provide a solution for the issue.