I have code that runs as part of an event handler and need to create a new TOM.NET session (I can’t reuse subject.Session). This event handler is loaded into many Tridion processes (TcmServiceHost, COM+, Publisher, TcmTemplateDebugHost, IIS Application Pool) and these processes may:
- run under an identity that has access to Tridion (e.g. the COM+ application runs under MTSUser, which is a Tridion administrator)
- run under an identity that doesn’t have access to Tridion, but is allowed to impersonate Tridion users (e.g. TcmServiceHost runs as NetworkService, which is configured as a Tridion Impersonation User).
I try to cater for both cases with this TOM.NET code:
Session session = null;
try
{
session = new Session();
}
catch (AccessDeniedException ex)
{
// this process doesn't have TCM access, so impersonate a user that does
session = new Session("Administator");
}
if (session != null)
{
var item = session.GetObject(id);
...
Is this the right way to check whether my code is running under a process that has access to Tridion (ignoring the fact that I hard-coded “Administrator”)? The code works, but I just wonder if there is a more efficient way to perform a “has access to Tridion” check?
Note: the same question arises when I use the Core Service to access Tridion, so the question is not whether the TOM.NET is the right API to use here.
I would not use this code. Exception catching is slow and you are currently giving (Administrator) access to anyone who cannot access the system – which is a big security hole to have.
Instead, I would look at who the current user is and figure out if he is an impersonation user or not. You could read the impersonation users from the Tridion.ContentManager.config file directly, if there isn’t an API for it (I haven’t checked).
Or you would have it be configurable separately for your event code. Or even hard-coded, if you don’t care about the code being generic.