SPC050101: Do not use spaces in file or folders names
SPC050201: Instantiate a new SPSite inside RunWithElevatedPrivileges
SPC050222: Do not call SPList.Items
SPC050223: Do not call SPList.Items.GetItemById()
SPC050224: Do not call SPList.Items[]
SPC050225: Do not call SPList.Items.Count
SPC050226: Do not call SPListItemVersion.Delete to delete multiple versions
SPC050227: Do not call SPFileVersion.Delete to delete multiple versions
SPC050228: Do not enable ObjectTracking in Linq.DataContext
SPC050229: Do not access SPListCollection by indexer multiple times
SPC050230: Do not call SPFolder.Files.Count
SPC050231: Use SPBuiltInContentTypeId to reference builtin ContentType
SPC050232: Use SPBuiltInFieldId to reference builtin Field
SPC050233: Define RowLimit for SPQuery
SPC050234: Avoid using AppSettings to store configuration values
SPC050235: Apply lock when caching SharePoint objects
SPC050236: Do not call SPItemEventProperties.OpenWeb()
SPC050237: Do not request SPField from SPFieldCollection by index. Use SPFieldCollection.GetField() instead.
SPC050238: Do not call SPWeb.GetListFromUrl. Use SPWeb.GetListFromWebPartPageUrl instead.
SPC050250: Assign RowLimit for SPQuery in limited range
SPC052101: Do not activate or deactivate Features via API
SPC052201: Custom field types should not be user creatable
SPC055201: Consider using SPContentTypeCollection.BestMatch(SPContentTypeId) to retrieve a Content Type
SPC055501: Define Type of ListTemplate greater than 10000
SPC056001: Do not instantiate SPList in Receiver
SPC056002: Do not instantiate SPListItem in Receiver
SPC056003: Do not instantiate SPSite in Receiver
SPC056004: Do not instantiate SPWeb in Receiver

SPC050201: Instantiate a new SPSite inside RunWithElevatedPrivileges

An SPSite object created outside the delegate can be referenced inside the delegate, however, the methods and property assessors of the object run with the privileges of the user context in which the objects were created, not with the elevated privileges.

TypeName: InstantiateNewSPSiteInRunWithElevatedPrivileges
CheckId: SPC050201
Severity: CriticalWarning
Type: AssemblyFileReference
Resolution

Instantiate a new SPSite inside RunWithElevatedPrivileges.

Bad Practice:

SPSite site = new SPSite("http://mysharepointsite");
SPSecurity.RunWithElevatedPrivileges(delegate()
{
  // This SPWeb will NOT have elevated privileges, because "site" does not
  SPWeb notElevatedWeb = site.RootWeb;  
});
Good Practice:
SPSite site = new SPSite("http://mysharepointsite");
// additional code using the site object
SPSecurity.RunWithElevatedPrivileges(delegate()
{
  // Create a new elevated version of the same site collection object
  using (SPSite elevatedSite = new SPSite(site.Id))     
  {
    SPWeb elevatedWeb = elevatedSite.RootWeb;
    // perform elevated operations with elevatedWeb here. . .
  } // SPSite object gets disposed automatically
});  

Links

comments powered by Disqus

Copyright © 2013 RENCORE AB. All Rights Reserved

Disclaimer: The views and opinions expressed in this documentation and in SPCAF are those of the creators and do not necessarily reflect the opinions and recommendations of Microsoft or any member of Microsoft. All trademarks, service marks, collective marks, copyrights, registered names, and marks used or cited by this documentation are the property of their respective owners.

SharePoint Code Analysis Framework, Version 4.5.2.7855, see www.spcaf.com for more information