I’m posting this mostly for my own reference as the riddle has been solved already–see the External References section for details.
talking writing about is this: in your SharePoint component you call SPSecurity.RunWithElevatedPrivileges() and when trying to change anything SharePoint related you get this error message:
Microsoft.SharePoint.SPException: The security validation for this page is invalid. Click Back in your Web browser, refresh the page, and try your operation again. ---> System.Runtime.InteropServices.COMException (0x8102006D): The security validation for this page is invalid. Click Back in your Web browser, refresh the page, and try your operation again.
You get his error message because you had to create SPSite and SPWeb objects for use in your elevated code and this in turn caused a new SPContext object to be created with an unvalidated Form Digest. To remedy this simply call SPUtility.ValidateFormDigest() before using SPSecurity.RunWithElevatedPrivileges().
Additional take aways:
- Setting the SPWeb’s AllowUnsafeUpdates property to true is only a crutch. Prefer SPUtility.ValidateFormDigest()–especially as the AllowUnsafeUpdates property will be reset on various occasions.
- Never ever ever switch form validation off as it makes you vulnerable to attacks. This applies to using Central Administration as well as setting SPWebApplication.FormDigestSettings.Enabled to false.
- A nice write-up of how and why to use RunWithElevatedPrivileges()
- Microsoft’s documentation of SPSecurity.RunWithElevatedPrivileges() explicitly mentions to call ValidateFormDigest().
- The most complete explanation of the underlying security mechanism