I have code that runs as part of an event handler and need to create a new TOM.NET session (I can't reuse subject.Session). This event handler is loaded into many Tridion processes (TcmServiceHost, COM+, Publisher, TcmTemplateDebugHost, IIS Application Pool) and these processes may:
I try to cater for both cases with this TOM.NET code:
Session session = null;
try
{
    session = new Session();
}
catch (AccessDeniedException ex)
{
    // this process doesn't have TCM access, so impersonate a user that does
    session = new Session("Administator");
}
if (session != null)
{
    var item = session.GetObject(id);
    ...
Is this the right way to check whether my code is running under a process that has access to Tridion (ignoring the fact that I hard-coded "Administrator")? The code works, but I just wonder if there is a more efficient way to perform a "has access to Tridion" check?
Note: the same question arises when I use the Core Service to access Tridion, so the question is not whether the TOM.NET is the right API to use here.
Just examine the ImpersonationLevel property of the WindowsIdentity class. Identification - The server process can obtain information about the client... Impersonation - The server process can impersonate the client's security context on its local system.
To impersonate another user, the impersonator selects the Impersonate icon on the far right of the Tab Bar and selects the user from the Impersonate drop-down list. To stop impersonating a user, the impersonator clicks the Impersonate icon and selects Stop Impersonate from the Impersonate drop-down list.
Impersonation is the process of executing code in the context of another user identity. By default, all ASP.NET code is executed using a fixed machine-specific account. To execute code using another identity we can use the built-in impersonation capabilities of ASP.NET.
I would not use this code. Exception catching is slow and you are currently giving (Administrator) access to anyone who cannot access the system - which is a big security hole to have.
Instead, I would look at who the current user is and figure out if he is an impersonation user or not. You could read the impersonation users from the Tridion.ContentManager.config file directly, if there isn't an API for it (I haven't checked).
var isImpersonationUser = IsImpersonationUser(WindowsIdentity.GetCurrent());
var session = isImpersonationUser ? new Session("Administrator") : new Session();
var item = session.GetObject(id);
Or you would have it be configurable separately for your event code. Or even hard-coded, if you don't care about the code being generic.
This code seems pretty efficient to me - but by checking if you can create the session object will by no means guarantee that the code will be able to perform the action you want to actually carry out in the CMS.
It also seems like such code is creating a large security vulnerability allowing processes to fallback to a higher level of security when they don't have permissions. Also keep in mind that if you are modifying any items in the CMS, that impersonation will have the result of not showing the real name of the individual which may have triggered the change. It will be stored as the user you are impersonating.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With