Outlook Issues

This section examines two special issues relating to Outlook development. The first is the Outlook object model security dialog box and how to prevent your add-in code from triggering it. The second Outlook-specific issue is a third object model, called Extended MAPI, that can be used in addition to the Outlook object model and the CDO object model. We briefly consider when you might need to resort to using it and how this is typically done.

Outlook Object Model Security

Occasionally, as you develop Outlook 2003 add-ins, you might write code that causes the Outlook object model security dialog box to display (see Figure 11.11). This dialog box was added to prevent the spread of viruses and worms that accessed parts of the Outlook object model, such as the address book, to spread themselves.

Typically, you want to prevent this dialog box from coming up, because it can distress your users. When you understand why this dialog box appears, you can refactor your code to avoid this dialog box. If you write a COM add-in, you are passed an Application object to the OnConnection method of IDTExtensibility2. If you write a VSTO add-in, you can access the methods and properties of Outlook's application object through the base class of the ThisApplication class. The Application object passed to OnConnection and the base class of VSTO's ThisApplication class are trusted in Outlook 2003; as long as you obtain all other objects you use from these trusted objects, you never have to worry about the object model security dialog box.

If you create a new instance of the Application object, this new instance will not be trusted, and the objects you create or access from it will sometimes cause the Outlook object model security dialog box to appear. Also, the objects passed into your event handlers as parameters are not trusted objects, and accessing restricted methods and properties on these objects can cause the Outlook object model security dialog box to appear. If you trigger the Outlook object model security dialog box by using these objects, you should find a way to get the same object through your trusted Application object.

A handful of restricted properties and methods of the Outlook object model can cause the security dialog box to appear when you talk to an object that was not obtained from a trusted Application object. Table 11.13 shows the complete list of properties and methods in the Outlook object model that can cause the security dialog box to appear when you call them on an object that was not obtained from a trusted Application object.

Listing 11.31 illustrates a COM add-in that uses a trusted and an untrusted Application object. The first block of code gets a MailItem out of the Inbox using the Application object passed to OnConnection, which we have set to a class member variable called trustedApplication. Then it tries to access the MailItem object's Body property (which is a restricted property) on the object obtained via the trustedApplication object. This action will not cause the object model security dialog box to appear. The second block of code uses an Application object we have created using the New keyword. This Application object is not trusted, and the Outlook item we obtain via this unTRustedApplication variable causes the object model security dialog box to appear when we access the restricted Body property.

Listing 11.31. A COM Add-In That Accesses a MailItem's Body Property Through a Trusted and Untrusted Application Object

Public Sub OnConnection(ByVal application As Object, _   ByVal connectMode As Extensibility.ext_ConnectMode, _   ByVal addInInst As Object, ByRef custom As System.Array) _   Implements Extensibility.IDTExtensibility2.OnConnection   applicationObject = application   addInInstance = addInInst   Dim trustedApplication As Outlook.Application = _     CType(application, Outlook.Application)   Dim untrustedApplication As New Outlook.Application()   ' Using trusted application   Dim inbox As Outlook.MAPIFolder = _     trustedApplication.Session.GetDefaultFolder( _     Outlook.OlDefaultFolders.olFolderInbox)   If TypeOf inbox.Items(1) Is Outlook.MailItem Then     Dim mailItem As Outlook.MailItem = inbox.Items(1)     MsgBox(mailItem.Body)   End If   ' Using untrusted application causes dialog to appear   Dim inbox2 As Outlook.MAPIFolder = _     untrustedApplication.Session.GetDefaultFolder( _     Outlook.OlDefaultFolders.olFolderInbox)   If TypeOf inbox2.Items(1) Is Outlook.MailItem Then     Dim mailItem2 As Outlook.MailItem = inbox2.Items(1)     MsgBox(mailItem2.Body)   End If End Sub 

Listing 11.32 shows a VSTO add-in that has a similar problem because it tries to access a restricted property on an Outlook item passed into an event handler as a parameter. As mentioned earlier, parameters passed into event handlers are untrusted, and accessing properties on these parameters that are restricted causes the Outlook object model security dialog box to appear.

Listing 11.32. A VSTO Add-In That Tries to Access the Body Property of a MailItem Obtained from an Untrusted Event Parameter

Public Class ThisApplication   Private Sub ThisApplication_ItemSend(ByVal Item As Object, _     ByRef Cancel As Boolean) Handles Me.ItemSend     If TypeOf Item Is Outlook.MailItem Then     Dim untrustedMailItem As Outlook.MailItem = Item       MsgBox(String.Format("Untrusted body {0}", _         untrustedMailItem.Body))     End If   End Sub End Class 

If you are developing for a version of Outlook older than 2003, the Application object provided to an add-in is not trusted by default. Also, some installations of Outlook 2003 are configured to not trust any COM or VSTO add-ins by default. For these cases, you have to use the Outlook security administration tools, which rely on a public exchange folder and a form template (Outlooksecurit.oft) that can be installed and configured to provide specific add-ins with a trusted Application object. For VSTO Add-ins, you need to use the Outlook security administration tools to trust the AddinLoader.dll component that loads all VSTO add-ins. You also need to deploy appropriate .NET security policy, as described in Chapter 19, ".NET Code Security."

Extended MAPI

Occasionally, you will find a property in the Outlook object model that you really want to change but that is read-only. Sometimes, it is possible to change these properties using another API set called Extended MAPI. Extended MAPI is a C++-oriented API that talks directly to the MAPI store that backs Outlook folders and items. The way .NET developers typically use Extended MAPI is by creating an assembly written in managed C++. Then your existing managed code then call the managed C++ assembly, which then can call into Extended MAPI. This is an advanced scenario that is not covered further in this book.