Paul Liebrand's Weblog

Welcome to my blog mainly about SharePoint

Skip to: Content | Sidebar | Footer

Google Search

SharePoint 2013 Edit vs. Contribute – What the hell happened?

20 February, 2014 (21:38) | SharePoint | By: Liebrand

Today I discovered an interesting change to the security model in SharePoint 2013. Create a new team site with the three (3) default groups: Visitor, Members, and Owners.  Without observing this too closely I noticed that people I added to the Members group were able to completely change all the pages and delete lists.

I thought to myself, “wait a minute – contributors should not have this level of access. All they should be able to do is add, update, or delete content on existing lists.”  I check the permission levels for Contribute and saw it was setup how I expected. Baffled.

After some further analysis, I determined that in SharePoint 2013 there is new permission level called Edit and it is assigned to the member group by default. The Edit permission level states:

Can add, edit and delete lists; can view, add, update and delete list items and documents.

This seems extremely strange and I just do not feel this should be the default setting for a member group. I have no discovered the reason why Microsoft has made this change yet or what benefit it is serving.

I decided to take a look at what the code is doing so I can figure out if there is a way around it. I discovered the following check in the PermissionSetupPage code within Microsoft.SharePoint.ApplicationPages.dll.

sPGroup = this.OwnerParam.Create(currentUser, nums, nums1, PermissionSetupPage.GroupType.Owner);
sPGroup1 = this.MemberParam.Create(sPGroup, nums, nums1, PermissionSetupPage.GroupType.Member);
sPGroup2 = this.VisitorParam.Create(sPGroup, nums, nums1, PermissionSetupPage.GroupType.Visitor);
SPRoleType sPRoleType = (SPUtilityInternal.ShouldUseEditRole(base.Web) ? SPRoleType.Editor : SPRoleType.Contributor);
if (this.CanGrantPermission)
{
this.GrantPermission(sPGroup, SPRoleType.Administrator);
this.GrantPermission(sPGroup2, SPRoleType.Reader);
this.GrantPermission(sPGroup1, sPRoleType);
}

 

Take note of the SPUtilityInternal.ShouldUseEditRole method that is being called. I followed the trail to this method and found the following code:

internal static bool ShouldUseEditRole(SPWeb web)
{
if (web.RoleDefinitions.GetByTypeNoThrow(SPRoleType.Editor) == null)
{
return false;
}
return web.UseEditRole;
}

 

So it is simply checking for the existence of the Edit permission level in the web and if it doesn’t exist it returns a false and then the calling code will use Contribute instead.

Solution

So if you want to force your SharePoint 2013 environment to use the old method, simply do the following steps:

  1. Change all the Members groups from Edit to Contribute.
  2. Delete the Edit Permission level

Moving forward – all new sites will now use Contribute instead of Edit. I may consider writing a custom solution in the near future to allow SharePoint Administrators to simply install and change the default behavior but I need to make sure I understand why Microsoft made this drastic change.


Post to Twitter Post to Delicious Post to Digg Post to Facebook Post to Reddit