Update… this gets worse in SP 2013! "Members" can create and delete lists and libraries by default! See here.
So much of the core of SharePoint 2010 is the same as what we knew in SharePoint 2007 that we are quite surprised when we do run across a really odd change. In SP 2007 members could not edit the home page of the site or modify “shared” web parts. Unless you removed their permission to do so, they could edit personal views of web parts, but not the shared web parts seen by all users. In SP 2010 site members can not only edit the web parts, but they can edit the home page (home.aspx). And it gets worse…
Site Members can even delete the home page!
Delete your home page? Try it sometime! The result is interesting… (but be safe, don’t try it on a production site) Sites created from the Team Site template store their “home” page in the Site Pages library as a file named home.aspx. When the home.aspx page gets deleted it goes to the Recycle Bin. The site still works sort of… you will now see a 2007 style web part page that has none of your web parts, text or pictures. It’s the old default.aspx page left over from the 2007 days.
You can recover just fine, just go to the recycle bin and store the page. Click Home in the Top Link Bar and everything is back to normal.
Take away some permissions! The problem comes from the fact that wiki pages are stored in a library, and by default users with contributor permissions (site members) have read, write and delete permissions on all libraries. So to fix this little problem we need to take away some permissions on the Site Pages library.
The before and the after:
And the after:
- While logged in as a site owner, go to the Site Pages library
- Click the Library tab or the ribbon and click Library Settings
- Click Permissions for this document library
- Click the Stop Inheriting Permissions button in the ribbon and click OK
- Checkmark the Members group (and any other groups that need the same change) and click Edit user Permissions
- Un-checkmark “Contribute”, checkmark “Read” and click OK
Note: You can undo all of the above by repeating steps 1-3 and clicking Inherit Permissions.
One more little problem…
We still have New Page in the Site Actions menu.
If the contributor user clicks this menu option they will get the dialog box to add a new page, but when they click OK they will get an Access Denied error.
How to fix this?
The first script block just initializes a variable to false to default to hiding the menu option.
The SPSecurityTrimmedControl runs its script block only if the user has the “ManageWeb” permission. That script block just sets the variable to true.
The last script block tests to see if the user should see the menu option, loops through all of the “<ie:menuitem>” tags looking for one with the text “MenuItem_EditPage” in it’s ID and then hides it.
- Open SharePoint Designer and open your master page (most likely v4.master)
- Click Edit Page
Note: The “ManageWeb” permission is generally unique to Site Owners and is one of 32 permissions that can be assigned in SharePoint. There is a list of the permissions strings at the bottom of this article: http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.webcontrols.spsecuritytrimmedcontrol.permissionsstring%28office.12%29.aspx
(These 32 permissions are unchanged from SP 2007)