The SharePoint security model allows list data to be secured by a user's permission level. The model is flexible and allows custom Permission Levels to be defined.
For instance, a SharePoint User Group for "Employee Users", can be assigned a custom permission level which allows only new records to be inserted into a "Company Suggestion" list. Once added the employee may not View, Edit, or Delete their own, or anyone else's, suggestion. This permission level is straight forward to set up using the standard UI.
When permission levels become more complicated and exceptions to the rules are introduced, these permissions may not be sufficient.
Continuing with the Company Suggestion example, we'll modify the requirements to allow the employee to Edit or Delete a suggestion for up to 24 hours after submitting it. A custom web part is created and added to the site to display the logged in user's suggestions. If within the 24 hour window, "Edit" and "Delete" functions are available to the user.
Modifying the Permission Level previously setup to allow View, Edit and Delete, introduces unwanted risks. A user may manipulate the system to bypass the 24 hour window and Edit or Delete their suggestions. (I completely understand an employee suggestion is not usually business critical data)
A more secure option is to leave the Edit and Delete restrictions in place, and let the web part handle the Edits and Delete permissions. By default, the functions of the web part will run in the context of the current user, and would be restricted by the user's permission levels. To work around this, SharePoint provides the ability to execute code blocks with elevated privileges. This is done with SPSecurity.RunWithElevatedPrivileges.
It's easy enough to find C# examples using RunWithElevatedPrivileges on the Internet. Most of these use anonymous methods, something not yet supported by VB in .Net 2.0 (.Net 3.5 introduces Lamba expressions).
The below VB example shows calling a method as a delegate with elevated privileges. The _web field is initialized int the constructor using elevated privileges. By creating the _web (SPWeb) field with elevated privileges, all api calls based off of this object will be permitted by any user - regardless of their permission level.
public class EmployeeSuggestion
Private _web as SPWeb
private suggestionID as integer
Public Sub New(id as integer)
suggestionID = id
Private Sub CreateElevatedWeb()
Dim site As New SPSite(SPContext.Current.Site.ID)
_web = site.OpenWeb(SPContext.Current.Web.ID)
Public Sub Delete()
Dim list as SPList = Web.Lists("EmployeeSuggestions")
Dim item as SPListItem = list.GetItemById(suggestionID)
Also note - You may still need to set the AllowUnsafeUpdates property of the SPWeb object to True in some situations. See more here.