Corey Roth and Friends Blogs

Group site for developer blogs dealing with (usually) Ionic, .NET, SharePoint, Office 365, Mobile Development, and other Microsoft products, as well as some discussion of general programming related concepts.

Kyle Kelin on .Net

February 2009 - Posts

  • A Closer Look at AllowUnsafeUpdates

    The SPWeb.AllowUnsafeUpdates property recently came up in my project this week. I got the following exception:

    System.Exception: Microsoft.SharePoint.SPException: The security validation for this page is invalid. Click Back in your Web browser, refresh the page, and try your operation again. —> System.Runtime.InteropServices.COMException (0×8102006D): The security validation for this page is invalid. Click Back in your Web browser, refresh the page, and try your operation again.

    One of my team members told me to just set AllowUnsafeUpdates to true. I did and the exception went away. A quick google search shows dozens of blog posts and forum answers that the solution to the above exception is to set AllowUnsafeUpdates to true. After meeting a deadline I decided to go back and look at this property because it seems like a property that you would not want to set to true. The idea behind AllowUnsafeUpdates is to protect you from cross-site scripting attacks. All SharePoint does is check to see if HttpContext.Current is not null, and if it's not (this is in the context of a web request) it checks to see if the current web request is an HTTP GET (you clicked on a link) vs an HTTP post (you clicked on a button), and if it's not an HTTP POST (e.g., not a postback) it then checks the value of AllowUnsafeUpdates (which is false by default), if it is false then the security exception mentioned above is throw. I should mention I am leaving out a few steps to simplify the explanation. For more details of how the property is implemented see the MSDN documentation.

    There are two reasons you get the above exception and may be tempted to set AllowUnsafeUpdates to true to avoid it. The first is if you are trying to perform an update of a web or list when the page loads instead of during a postback. For example creating a delete.aspx page and passing the list item ID in as a query string parameter then performing the delete on that item. This will throw a security exception by default. But MSFT gave you the option to override this exception by setting AllowUnsafeUpdates to true. Do not do this. There is a reason you are getting an exception here. You are opening a risk that anyone can call that page and pass in any id in the querystring and delete a list item. Plus your search crawler or an outside search engine might accidentally hit that page and delete the list item. But for me I was not doing this. I had a button click event that was calling my SharePoint update code. The reason I was getting the exception was because we did not have the forms digest security control in the master page. This control validates the Web application when it attempts to access the Windows SharePoint Services APIs. So adding the following control to our master page removed 95% of our need for setting AllowUnsafeUpdates to true:

    <!-- Form Digest Security Control -->

    <asp:ContentPlaceHolder id="PlaceHolderFormDigest" runat="server">

        <SharePoint:FormDigest runat=server/>




    The majority of the time you should have AllowUnsafeUpdates set to false. But there are always exceptions to the rule. The first that comes to mind is feature receivers. I haven't dug into this too much but it seems you have to set AllowUnsafeUpdates to true. If anyone can confirm or deny this please post in the comments. The other situation that comes to mind is one-off updates. For example, creating a console app that updates a particular column in a list is not a big enough security risk to worry about.


    Some Additional References:



  • Setting the People/Group Field Type to a SharePoint Group

    I ran across this today and thought I would take a minute to blog about it because I didn't find exactly what I wanted by Googling. I have a SharePoint Group that I have created and I need to set that in a list so I can use it later on. I found a lot of articles on how to set a People or Group field by using the SPFieldUserValue but I didn't know how to get from a SPGroup to that object. Then it dawned on me to use the ID and Name properties of the group. Bam works like a charm. Here is the code:



    SPGroup group = rootWeb.SiteGroups[groupName];


    SPFieldUserValue value = new SPFieldUserValue(rootWeb,group.ID, group.Name);

    item["Committee Group"] = value;

  • Using Extension Methods to Make SharePoint More Palatable

    On my current project I have been using a lot of extension methods to hide things I don't like about the SharePoint API. For one I hate that the only way to determine if something is in a list, web, or group is by trying to access the item and then catch the exception. Yuck. Here is an extension method I wrote to test if a group exists in a site or not.


    public static bool Contains(this SPGroupCollection groups, string groupName)




    SPGroup group = groups[groupName];

    return true;


    catch (Exception)



    return false;




    And here is how I use the extension method.


    if (!committeesRootWeb.SiteGroups.Contains(groupName))


    committeesRootWeb.SiteGroups.Add(groupName, member, user, groupName);



    For a little more info check out this post:

  • Infusion's Falcon Eye for Surface goes to the Superbowl

    This came through internally on Friday from fellow Infusionite Kartik Subramani. Congrats to everyone involved!

    About three weeks ago, Infusion was asked to produce a demo of a security application for managing security at SuperBowl XLIII in Tampa Bay this Sunday.  Although originally intended as a demo to gain some press for both Infusion and E-Sponder (the solution that Tampa Police uses in their day to day operations), it was such a hit, that the Incident Commander requested that it be brought into the Joint Operation Center, where every security organization from the local police to the [deleted in case this would get anyone in trouble.] were gathered to monitor the event.  The app allowed for real time visualization of incidents as they were reported to 911 and filed by police officers.  While I was down there, everything from loose dogs and lost children, to grand theft auto and bomb sweeps were showing up on the map.  In addition to having all that information at his fingertips, the Incident Commander was also able to listen to and speak out on to their various radio networks from the Surface [unit].

    You can read full details at the following links:

    There were film crews from NBC and CBS filming the Incident Commander using the application.  I believe the NBC clip was to air this morning [Friday, Jan 30] on the Today Show, or the morning news, but I'm not sure when the CBS clip is going to air.

    Big shout out to Lan Nguyen, for his help with developing the application, and to Alex Preston and Trevor Hunter for their guidance during the architecture and design phase.

    And while everyone inside Infusion knows that Kurt Guenther is the "godfather of Falcon Eye," now you know too.If you have want to learn more about Surface or have questions about how we did it, you can reach Kartik and the team through the alias:


    Read more about Falcon Eye at the Superbowl

    Read more about Falcon Eye and Surface

    Read more about Surface Development at Infusion

Powered by Community Server (Non-Commercial Edition), by Telligent Systems