Paul Liebrand's Weblog

Welcome to my blog mainly about SharePoint

Skip to: Content | Sidebar | Footer

Google Search

SharePoint 2013 Edit vs. Contribute – What the hell happened?

20 February, 2014 (21:38) | SharePoint | By: Liebrand

Today I discovered an interesting change to the security model in SharePoint 2013. Create a new team site with the three (3) default groups: Visitor, Members, and Owners.  Without observing this too closely I noticed that people I added to the Members group were able to completely change all the pages and delete lists.

I thought to myself, “wait a minute – contributors should not have this level of access. All they should be able to do is add, update, or delete content on existing lists.”  I check the permission levels for Contribute and saw it was setup how I expected. Baffled.

After some further analysis, I determined that in SharePoint 2013 there is new permission level called Edit and it is assigned to the member group by default. The Edit permission level states:

Can add, edit and delete lists; can view, add, update and delete list items and documents.

This seems extremely strange and I just do not feel this should be the default setting for a member group. I have no discovered the reason why Microsoft has made this change yet or what benefit it is serving.

I decided to take a look at what the code is doing so I can figure out if there is a way around it. I discovered the following check in the PermissionSetupPage code within Microsoft.SharePoint.ApplicationPages.dll.

sPGroup = this.OwnerParam.Create(currentUser, nums, nums1, PermissionSetupPage.GroupType.Owner);
sPGroup1 = this.MemberParam.Create(sPGroup, nums, nums1, PermissionSetupPage.GroupType.Member);
sPGroup2 = this.VisitorParam.Create(sPGroup, nums, nums1, PermissionSetupPage.GroupType.Visitor);
SPRoleType sPRoleType = (SPUtilityInternal.ShouldUseEditRole(base.Web) ? SPRoleType.Editor : SPRoleType.Contributor);
if (this.CanGrantPermission)
this.GrantPermission(sPGroup, SPRoleType.Administrator);
this.GrantPermission(sPGroup2, SPRoleType.Reader);
this.GrantPermission(sPGroup1, sPRoleType);


Take note of the SPUtilityInternal.ShouldUseEditRole method that is being called. I followed the trail to this method and found the following code:

internal static bool ShouldUseEditRole(SPWeb web)
if (web.RoleDefinitions.GetByTypeNoThrow(SPRoleType.Editor) == null)
return false;
return web.UseEditRole;


So it is simply checking for the existence of the Edit permission level in the web and if it doesn’t exist it returns a false and then the calling code will use Contribute instead.


So if you want to force your SharePoint 2013 environment to use the old method, simply do the following steps:

  1. Change all the Members groups from Edit to Contribute.
  2. Delete the Edit Permission level

Moving forward – all new sites will now use Contribute instead of Edit. I may consider writing a custom solution in the near future to allow SharePoint Administrators to simply install and change the default behavior but I need to make sure I understand why Microsoft made this drastic change.

Post to Twitter Post to Delicious Post to Digg Post to Facebook Post to Reddit