Beruflich Dokumente
Kultur Dokumente
AllowUnsafeUpdates
Introduction
In this article I am going to explain you that How and when to use SPWeb.AllowUnsafeUpdates.
SPWeb.AllowUnsafeUpdates : It Gets or sets a Boolean value that specifies whether to allow
updates to the database as a result of a GET request or without requiring a security validation.
Whenever your code modifies SharePoint data in some way or Whenever we need to update
SharePoint objects like SPWeb, SPList, SPListItem, etc , without requiring asecurity validation, we
need to set SPWeb.AllowUnsafeUpdates = true.
Following is the code snippet for the same.
1
2
3
4
5
Detail:The Microsoft idea behind introducing the AllowUnsafeUpdates property is to protect YOU
from cross-site scripting attacks. The way this works is that if your application is running in an
HTTPContext (i.e. its a web part for instance) and the request is a GET request then SharePoint
will refuse to do any changes unless the value of AllowUnsafeUpdates is set to true and by default
it will be false for GET requests. If you try to do any updates to lists, webs or any SharePoint
objects that require an SPSite to be created first, and if you dont set AllowUnsafeUpdates to true
you will get this exception:
System.Exception: Microsoft.SharePoint.SPException: The security validation for this page is
invalid. Click Back in your Web browser, refresh the page, and try your operation again. >
System.Runtime.InteropServices.COMException (0x8102006D): The security validation for this
page is invalid. Click Back in your Web browser, refresh the page, and try your operation again.
Usually when you create your own SPSite or SPWeb objects, i.e. when you are not getting them
from the SPContext (such as SPContext.Web), and when you try to update anything such as web
or list properties, list items metadata etc, you may get the exception listed above. This is a clear
indication thatAllowUnsafeUpdates of the SPWeb is false and this is preventing you from doing the
update. This problem is resolved easily by setting theAllowUnsafeUpdates of the parent web object
to true.
Few examples:- Scenario 1 (using SPWeb.EnsureUser):EnsureUser looks for the specified user login inside SPWeb.SiteUsers collection, and if the login
isnt found, turns toActiveDirectory for the purpose of retrieving the user information from there. If
such information is found, it will be added to SPWeb.SiteUsers and for the next time it will be
returned directly fromSPWeb.SiteUsers. That means we are modifying SPWeb by adding user.
Therefore we need to use AllowUnsafeUpdates property to avoid exception.
8
9
10
11
12
13
14
15 }
}
catch (Exception ex) {// write to log}
finally
{
web.AllowUnsafeUpdates = oldAllowUnsafeUpdate;
}
return myUser;
Scenario 2 (using BreakRoleInheritance):When we use Methods BreakInheritance, ResetRoleInheritance and BreakRoleInheritance, it reset
AllowUnsafeUpdates to false.
8
9
10
11
12
13
14
15
16
17
18
19 }
}
catch (Exception ex)
{
// handle exception
}