This post is migrated from previous hosting provider. There are still some issues with old posts. Please make a comment on this post with any issues.

BreakRoleInheritance and AllowUnsafeUpdates

Tags: SharePoint

I have just struggled a while with a SharePoint Web Part that constantly threw an error, see below. This Web Part is creating a SharePoint list when it is first loaded by a user and it should create a list with permissions so that only the user has access to it (i.e. a personal list). This is done by breaking the role inheritance of the list using BreakRoleInheritance(false), so that no inherited roles are copied. I’ve used the method for this previously in the solution, but then this was done on a POST request and now it should do almost the same during a GET request, that is when the user navigates to the page.

All this is done under elevated privileges and looks something like this

SPSecurity.RunWithElevatedPrivileges(delegate() {
  using (SPSite site = new SPSite(url)) {
    using (SPWeb web = site.OpenWeb(url.Replace(site.Url, string.Empty))) {
      web.AllowUnsafeUpdates = true;
      Guid guid = web.Lists.Add(name, string.Empty, SPListTemplateType.DocumentLibrary);
      SPList list = web.Lists[guid];
      ...
      list.BreakRoleInheritance(false);
      ...
      list.Update();
    }
  }
});

This gives me the following error when running during a GET request.

"Updates are currently disallowed on GET requests.  To allow updates on a GET, set the 'AllowUnsafeUpdates' property on SPWeb."

If I rewrite the code and change the BreakRoleInheritance(false) to BreakRoleInheritance(true)  and set the AllowUnsafeUpdates to true once again it works fine and I have to manually get rid of all the roles.

Why is it so?

If you step through the code in the working sample you will see that after the BreakRoleInheritance(true) line the AllowUnsafeUpdates property of the SPWeb object has changed to false. The AllowUnsafeUpdates property will reset to false whenever any ISecurable object changes their role definitions, and in the BreakRoleInheritance method you have a call to an internal function that invalidates the SPWeb object which resets the AllowUnsafeUpdate property.

The exception is then thrown after breaking the role inheritance and when the method tries to remove the roles from the list. I initially thought that it was the other way around and therefore was a bit confused.

So the correct way is this:

SPSecurity.RunWithElevatedPrivileges(delegate() {
  using (SPSite site = new SPSite(url)) {
    using (SPWeb web = site.OpenWeb(url.Replace(site.Url, string.Empty))) {
      web.AllowUnsafeUpdates = true;
      Guid guid = web.Lists.Add(name, string.Empty, SPListTemplateType.DocumentLibrary);
      SPList list = web.Lists[guid];
      ...
      list.BreakRoleInheritance(true);
      web.AllowUnsafeUpdates = true;
      // remove roles manually
      ...
      list.Update();
    }
  }
}};

Happy programming…

Note: there is a reason why this is implemented in this way, to prevent cross-site-scripting attacks, if you are unsure about what you are doing you should consider an alternate way of solving your problem.

No Comments

  • .Net Follower said

    Hello! I had the same problem with BreakRoleInheritance, I used the same workaround. I described it in my blog <a href="http://dotnetfollower.com/wordpress/2011/03/sharepoint-updates-are-currently-disallowed-on-get-requests/">http://dotnetfollower.com/wordpress/2011/03/sharepoint-updates-are-currently-disallowed-on-get-requests/</a>

Comments have been disabled for this content.

About Wictor...

Wictor Wilén is a Director and SharePoint Architect working at Connecta AB. Wictor has achieved the Microsoft Certified Architect (MCA) - SharePoint 2010, Microsoft Certified Solutions Master (MCSM) - SharePoint  and Microsoft Certified Master (MCM) - SharePoint 2010 certifications. He has also been awarded Microsoft Most Valuable Professional (MVP) for four consecutive years.

And a word from our sponsors...

SharePoint 2010 Web Parts in Action