How to set Item Level Permission for SharePoint 2007 (MOSS/WSS) List/Document Library Programmatically

Here is a piece of code (a function) to set Item Level Permission. You can use it as a Web Method in a custom Web Service. This method can be used from Applications outside of SharePoint, provided the user using this application has sufficient privilege to update lists/libraries etc.

    public string ItemPermission(string SitePath)

    {

        string ReturnVal = "";

        try

        {

            SPSite WebApp = new SPSite(SitePath);

            SPWeb Site = WebApp.OpenWeb();

            SPList list = Site.Lists["TestDocLib"];

            SPListItem item = list.Items[0];

            SPRoleDefinition RoleDefinition = Site.RoleDefinitions.GetByType(SPRoleType.Contributor);

            SPRoleAssignment RoleAssignment = new SPRoleAssignment("<domain>\\<user>", "email", "name", "notes");

            RoleAssignment.RoleDefinitionBindings.Add(RoleDefinition);

            if(!item.HasUniqueRoleAssignments)

            {

                item.BreakRoleInheritance(true);               

            }

            item.RoleAssignments.Add(RoleAssignment);

            item.Update();

        }

        catch (Exception ex)

        {

            ReturnVal += "Permission not set, reason: " + ex.Message;

        }

        return ReturnVal;

    }

=========================================================

预期在 SPSecurity.RunWithElevatedPrivileges 中得到操作权限提升的任何对象都必须是来之这个新的安全上下文创建的对象，在其内部引用外部创建的对象，还是没有权限操作

  SPSecurity.RunWithElevatedPrivileges(delegate
  {
  using (SPSite site = new SPSite(properties.SiteId))
  {
  using (SPWeb web = site.OpenWeb(properties.ListItem.ParentList.ParentWeb.ID))
  {
  web.AllowUnsafeUpdates = true;
  // Make sure referring to the new objec created under the evelvated security context
  // there seems to be some bug in web.Lists[properties.ListId].Items[properties.ListItemId] // IndexOutOfRange
  SPListItem item = web.Lists[properties.ListId].Items[properties.ListItem.UniqueId];
  item.BreakRoleInheritance(false);

  SPRoleDefinition readRoleDef = web.RoleDefinitions["Read"];
  SPRoleDefinition contributeRoleDef = web.RoleDefinitions["Contribute"];

  // the user creating this item have the Contribute permisioin level
  SPRoleAssignment roleAssOfCurrentUser = new SPRoleAssignment(web.AllUsers[properties.UserLoginName]);
  roleAssOfCurrentUser.RoleDefinitionBindings.Add(contributeRoleDef);
   
  // all the authenticated user can read
  SPRoleAssignment roleAssOfAllUser = new SPRoleAssignment(web.AllUsers["NT AUTHORITY\\Authenticated Users"]);
  roleAssOfAllUser.RoleDefinitionBindings.Add(readRoleDef);

  item.RoleAssignments.Add(roleAssOfCurrentUser);
  item.RoleAssignments.Add(roleAssOfAllUser);

  //properties.ListItem.SystemUpdate(); // NO NEED
  }
  }
  });