Recently, our new corporate Intranet went live and I happened to be performing a search while logged in as a limited user to verify that security-trimming was working. I was surprised to find that this user was getting back results that they did not have access to. I could tell this since there were items in the results that when clicked on took me to the access denied page.
I began looking for some answers but was unable to find anyone else out there that was having the same issue. This led me to believe that it must have been something that I did custom to our site that was causing the issue. I remembered that I was having trouble with the imppersonation piece when I was testing some custom code before and that I had went into the web.config file and set impersonation to false. So I thought it a wise decision to go back in there and set it back to what it normally is (true). I saved the change and ran a search and found that I was only getting back items I was allowed to see. I was relieved that at least SharePoint search was working the way it is suppose to.
Now I just had to figure out what to do in my code so that I could leave impersonation on. Impersonation allows the SharePoint application to impersonate other users and this allows a user to perform a search and SharePoint checks that users permissions to see which files they are allowed to see. It then returns only those items in the search result. By turning impersonation off I was running all of this as the System Account, which had access to all items in the site.
I was finally able to find a way in my code to perform the functions I needed to while allowing impersonation to continue. Let this be a lesson to me: Don't go changing items in web.config without fully understanding the implications.
No comments:
Post a Comment