SPWeb.

AllowUnsafeUpdates
Introduction
In this article I am going to explain you that How and when to use SPWeb.AllowUnsafeUpdates.
SPWeb.AllowUnsafeUpdates : It Gets or sets a Boolean value that specifies whether to allow
updates to the database as a result of a GET request or without requiring a security validation.
Whenever your code modifies SharePoint data in some way or Whenever we need to update
SharePoint objects like SPWeb, SPList, SPListItem, etc , without requiring asecurity validation, we
need to set SPWeb.AllowUnsafeUpdates = true.
Following is the code snippet for the same.

1
2
3
4
5

SPWeb web = SPContext.Current.Web;

web.AllowUnsafeUpdates = true;
// Perform the list/list item/web update
web.allowUnsafeUpdates = false;

Detail:The Microsoft idea behind introducing the AllowUnsafeUpdates property is to protect YOU
from cross-site scripting attacks. The way this works is that if your application is running in an
HTTPContext (i.e. its a web part for instance) and the request is a GET request then SharePoint
will refuse to do any changes unless the value of AllowUnsafeUpdates is set to true and by default
it will be false for GET requests. If you try to do any updates to lists, webs or any SharePoint
objects that require an SPSite to be created first, and if you dont set AllowUnsafeUpdates to true
you will get this exception:
System.Exception: Microsoft.SharePoint.SPException: The security validation for this page is
invalid. Click Back in your Web browser, refresh the page, and try your operation again. >
System.Runtime.InteropServices.COMException (0x8102006D): The security validation for this
page is invalid. Click Back in your Web browser, refresh the page, and try your operation again.
Usually when you create your own SPSite or SPWeb objects, i.e. when you are not getting them
from the SPContext (such as SPContext.Web), and when you try to update anything such as web
or list properties, list items metadata etc, you may get the exception listed above. This is a clear
indication thatAllowUnsafeUpdates of the SPWeb is false and this is preventing you from doing the
update. This problem is resolved easily by setting theAllowUnsafeUpdates of the parent web object
to true.
Few examples:- Scenario 1 (using SPWeb.EnsureUser):EnsureUser looks for the specified user login inside SPWeb.SiteUsers collection, and if the login
isnt found, turns toActiveDirectory for the purpose of retrieving the user information from there. If
such information is found, it will be added to SPWeb.SiteUsers and for the next time it will be
returned directly fromSPWeb.SiteUsers. That means we are modifying SPWeb by adding user.
Therefore we need to use AllowUnsafeUpdates property to avoid exception.

1 public static SPUser VerifyUser(SPWeb web, string loginName)

2 {
3
SPUser myUser = null;
4
try
5
{
6
web.AllowUnsafeUpdates = true;
7
myUser = web.EnsureUser(loginName);

8
9
10
11
12
13
14
15 }

}
catch (Exception ex) {// write to log}
finally
{
web.AllowUnsafeUpdates = oldAllowUnsafeUpdate;
}
return myUser;

Scenario 2 (using BreakRoleInheritance):When we use Methods BreakInheritance, ResetRoleInheritance and BreakRoleInheritance, it reset
AllowUnsafeUpdates to false.

using (SPSite spSite = new SPSite("url"))

1 {
2
using (SPWeb spWeb = spSite.OpenWeb())
3
{
4
bool oldAllowUnsafeUpdates = spWeb.AllowUnsafeUpdates;
5
6
try
7
{
8
SPList spList = spWeb.Lists["some list"];
9
SPListItem spLisItem = spList.GetItemById(someId);
10
// need to set since we are going to modify SPListItem
11
spWeb.AllowUnsafeUpdates = true;
12
spLisItem.BreakRoleInheritance(false);
13
14
SPRoleDefinition reader =
15 spWeb.RoleDefinitions.GetByType(SPRoleType.Reader);
16
SPGroup someGrp = spWeb.Groups["some group"];
17
18
SPRoleAssignment roleAssignment = new SPRoleAssignment(someGrp);
19
roleAssignment.RoleDefinitionBindings.Add(reader);
20
21
// need to set since BreakRoleInheritance method reset
22 AllowUnsafeUpdates to false
23
spWeb.AllowUnsafeUpdates = true;
24
spListItem.RoleAssignments.Add(roleAssignment);
25
26
}
27
catch (Exception ex)
28
{
29
// logging
30
}
31
32
spWeb.AllowUnsafeUpdates = oldAllowUnsafeUpdates;
33
spWeb.Update();
34
}
}
Scenario 3 (using SPListItem.Update):-

1 using (SPSite spSite = new SPSite("url"))

2 {
3
using (SPWeb web = spSite.OpenWeb())
4
{
5
try
6
{
7
SPList list = web.Lists["SomeList"];

8
9
10
11
12
13
14
15
16
17
18
19 }

SPListItem item = list.GetItemById(12);

item["Title"] = "Some Changes";
web.AllowUnsafeUpdates = true;
item.Update();
web.AllowUnsafeUpdates = false;

}
catch (Exception ex)
{
// handle exception
}