Towards the end of last week and the start of this week at work I was putting live some changes to a publically available site built in SharePoint 2007 when I started to get access denied errors on some pages which had been created using a new page layout. Initially I assumed that one of the components on the page were not checked in and published so I checked all the usual items such as:
- The content pages stored in the site Pages Library
- Master pages and page layouts in the site collection gallery
- Shared content used on the pages
After reviewing all the items mentioned above I was no further forward so I started to remove sections from the master page and page layout until I was able to pinpoint it was a particular web part, which was used to generate the sub navigation. Using a process of elimination and colleague and I were able to identify the accessed denied error was being triggered by a call to the SPContext.Current.Web SPWeb object. Initially I was confused as the code was wrapped in an SPSecurity.RunWithElevatedPrivileges block thus I assumed all code executed was getting run under the context of the application pool and should not be getting an access denied error. After some future research I found an msdn article which detailed the fact that using the SPContext.Current.Web will not be affected by running code in the Elevated Privileges block as this is created with the context of the currently running user.
To correct this issue I created new SPSite and SPWeb objects using the URL of the page being hit and the site worked as expected. I am aware lots of people may be aware of this caveat but thought it would be useful to document, partly for myself and partly for any others that may encounter a similar issue.