Using SPSite and SPWeb objects with RunWithElevatedPrivileges: Don’t cross the borders

First published on TECHNET on Mar 13, 2013

This blog post is a contribution from David Wilborn, an engineer with the SharePoint Developer Support team.

Although it’s mentioned in the SPSecurity.RunWithElevatedPrivileges documentation , I find that there is still often a lack of clarity for developers when using SPSite and SPWeb objects in conjunction with RunWithElevatedPrivileges delegate.

The mistake I see the most often is attempting to get an SPSite or SPWeb object with elevated privileges by initializing the object inside of a RunWithElevatedPrivileges delegate, then using the object outside of the delegate:

Another common issue is using an already initialized SPSite or SPWeb inside of a RunWithElevatedPrivileges delegate and assuming its permissions will be elevated:

An SPSite and SPWeb object initialized inside of a RunWithElevatedPrivileges block will have indeterminate permissions when used outside of that block – in other words, sometimes the object will retain the elevated privileges and sometimes it will not.  I’ve seen cases where a customer’s code written this way will work fine for months on end, then suddenly stop working when no code has changed!

So what’s the correct way to create SPSite and SPWeb objects with elevated privileges?  Always create and dispose off the objects within the RunWithElevatedPrivileges delegate.  Instead of elevating an existing object’s permissions, you’ll need to create a new object:

A simple rule of thumb is don’t “cross the border” with your SPSite and SPWeb objects – don’t use an object created outside of the RunWithElevatedPrivileges delegate within the delegate, and dispose all SPSite and SPWeb objects created within the delegate before the delegate completes.