4/16/2011

SharePoint 2010: Members Can Edit Web Parts and Pages (and how to prevent that)

 

Update… this gets worse in SP 2013! "Members" can create and delete lists and libraries by default! See here.

---

So much of the core of SharePoint 2010 is the same as what we knew in SharePoint 2007 that we are quite surprised when we do run across a really odd change. In SP 2007 members could not edit the home page of the site or modify “shared” web parts.  Unless you removed their permission to do so, they could edit personal views of web parts, but not the shared web parts seen by all users. In SP 2010 site members can not only edit the web parts, but they can edit the home page (home.aspx). And it gets worse…

 

Site Members can even delete the home page!

image

 

Delete your home page? Try it sometime! The result is interesting… (but be safe, don’t try it on a production site)  Sites created from the Team Site template store their “home” page in the Site Pages library as a file named home.aspx. When the home.aspx page gets deleted it goes to the Recycle Bin. The site still works sort of… you will now see a 2007 style web part page that has none of your web parts, text or pictures. It’s the old default.aspx page left over from the 2007 days.

You can recover just fine, just go to the recycle bin and store the page. Click Home in the Top Link Bar and everything is back to normal.

 

The Fix?

Take away some permissions! The problem comes from the fact that wiki pages are stored in a library, and by default users with contributor permissions (site members) have read, write and delete permissions on all libraries. So to fix this little problem we need to take away some permissions on the Site Pages library.

The before and the after:

image  image

 

The before:

image

And the after:

image

 

Steps:

  1. While logged in as a site owner, go to the Site Pages library
  2. Click the Library tab or the ribbon and click Library Settings
  3. Click Permissions for this document library
  4. Click the Stop Inheriting Permissions button in the ribbon and click OK
      image
      image
  5. Checkmark the Members group (and any other groups that need the same change) and click Edit user Permissions 
      image
  6.   Un-checkmark “Contribute”, checkmark “Read” and click OK
      image
  7. Test!

Note: You can undo all of the above by repeating steps 1-3 and clicking Inherit Permissions.

image

 

One more little problem…

We still have New Page in the Site Actions menu.

  image

 

If the contributor user clicks this menu option they will get the dialog box to add a new page, but when they click OK they will get an Access Denied error.

  image

 

How to fix this?

We need to hide the New Page menu item, but only for selected users. This can be done with a little JavaScript and a SPSecurityTrimmedControl.

For more on the SPSecurityTrimmedControl see: http://techtrainingnotes.blogspot.com/2009/07/sharepoint-run-javascript-based-on-user.html

Here’s the JavaScript to hide the menu for selected users:

<script type="text/javascript">
  <!-- assume no is allowed to see the menu option -->
  var userCanSeeNewPage = false;
</script>

<SharePoint:SPSecurityTrimmedControl runat="server" 
  PermissionsString="ManageWeb">
  <script type="text/javascript">
    <!-- users with ViewFormPages can see the menu option -->
    userCanSeeNewPage = true;
  </script>
</SharePoint:SPSecurityTrimmedControl>

<script type="text/javascript">
<!-- Hide the menu option for some users -->
if ( userCanSeeNewPage == false)
{
 var doc = document.getElementsByTagName('ie:menuitem'); 
 for (var i = 0; i < doc.length; i++)
  {
    itm = doc[i];
    if (itm.id.match('MenuItem_EditPage') != null)
      {
        itm.hidden=true;
        break; 
      }
  } 
}
</script>

The first script block just initializes a variable to false to default to hiding the menu option.

The SPSecurityTrimmedControl runs its script block only if the user has the “ManageWeb” permission. That script block just sets the variable to true.

The last script block tests to see if the user should see the menu option, loops through all of the “<ie:menuitem>” tags looking for one with the text “MenuItem_EditPage” in it’s ID and then hides it.

 

Steps:

  1. Open SharePoint Designer and open your master page (most likely v4.master)
  2. Click Edit Page
  3. Scroll down to the end of the master page and just before the “</body>” tag insert the JavaScript from above

Note: The “ManageWeb” permission is generally unique to Site Owners and is one of 32 permissions that can be assigned in SharePoint. There is a list of the permissions strings at the bottom of this article:  http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.webcontrols.spsecuritytrimmedcontrol.permissionsstring%28office.12%29.aspx

(These 32 permissions are unchanged from SP 2007)

 

.

6 comments:

Anonymous said...

I just wanted to thank you for your post. It helped me understand why people without designer or owner roles were able to edit the web parts on the pages. This was driving me crazy

Anonymous said...

I also wanted to thank you for posting this solution. I've spent countless hours trying to change permissions without anything working -- until I found your page!

Balu Kalepu said...

Excellet.. Its made my day :)
Thanks for the detailed explanation.

Balu K

Balu Kalepu said...

Excellent Article. You made my day..
Thanks for the detailed explanation.

Balu K

Anonymous said...

You made my day..
Excellent explanation.
Thanks much.

Balu K

Anonymous said...

Excelente!!!!!! Gracias amigo por su explicacion!!! XD

Note to spammers!

Spammers, don't waste your time... all posts are moderated. If your comment includes unrelated links, is advertising, or just pure spam, it will never be seen.