New List Experience allow bypass security bits (Item-level Permissions)

Copper Contributor


We recently found out (thanks to junior QA) that new list experience simply ignores security bit setting on list. I did some tests and I can confirm this on SharePoint Online. Below, you can find full details and repro steps with code.


Can anyone contact Microsoft or push this issue higher? It's rather large critical.



When using "New Lists Experience" user can recycle items, even without having rights to do so.


Repo steps:

1. Create Custom List, break roles; add few users as a contributors (for example user A, and user B)

2. Go to list settings, advances settings, set "Item Level Permissions" (so called security bits) to:

 - <check> Read All Items

 - <check> Create items and edit items that were created by the user

3. Create few items as User A

4. Login as User B, go to default list view

5. Make sure you are using new list experience

6. select item from User A

7. Click delete (confirm).

8. Item have been deleted sucessfully.


Detailed explanation:

New list experience is using REST API - sending a POST call to "/_api/web/GetFileByServerRelativePath(DecodedUrl=@a1)/recycle?@a1='/<relative_list_url>/<item_id>_.000'", which is clearly a file-recycle method. As far as I remember, you cannot specify security bits on document libraries, so method author didn't bother with security check...

I have checked following methods (APIs) and both of them return forbidden error:

JSOM - list.getItemById(15).recycle()

REST LIST API: _api/web/lists/GetByTitle('title')/items(15)/recycle()


Code with examples:

(just make sure to run it on chrome because i have used fat arrow operator; remember change SharePoint Online URL as well)



5 Replies

Seriously Microsoft? No one cares?



Almost 2 months have passed. Is there an update to this from either OP or Microsoft?

Has anyone filed a formal ticket? Either O365 or ideally premier?

Looks like it is fixed on our tenants.