Back to Insights

Working with SharePoint 2010 list item security

For some time I have been working on a SharePoint 2010 solution where I need to heavily customize the SharePoint "EditItem" form. Not a big deal, as I created a custom rendering template. I also have a custom "Save" button that has to perform some additional field settings. One thing that my SPList has to have is a "WriteSecurity=2" property. WriteSecurity is a new property in SharePoint 2010 that allows your users to create new items in a list but edit ONLY their own.

In my solution I had to respect that notion, but I also had to allow administrative users to be able to overwrite this restriction.

So in an effort to do this I created my own custom "Save" button and overwrote its "SaveItem()" function and elevated permissions on "base.SaveItem()". Well, SharePoint didn't like this. The problem was the item context was transferred from the parent SPWeb, which already was opened under the context of the existing user (non-admin) and my list item was convinced that there was no elevation done at the time of saving the item.

One solution that I found is to create new SPSite and SPWeb objects and get a hold of the list. Once I have an item in question I pass the "base.ItemContext.ListItem" to it and all of the user-entered data is transferred to the new SPListItem object that is now under my control.

My save operation succeeded!

Here is how my code looks:

protected override bool SaveItem()
bool saveResult = false;
SPSite site = new SPSite(Constants.LocalSiteCollection);
SPWeb web = site.OpenWeb();
SPList list = web.Lists["MyList"];
web.AllowUnsafeUpdates = true;
SPListItem item = base.ItemContext.ListItem;
/// ?. other updates to SPListItem ?
saveResult = true;
base.RedirectUrl = SPContext.Current.Web.Url;
return saveResult;