New List Experience allow bypass security bits (Item-level Permissions)

Highlighted
Occasional Contributor

 


We recently found out (thanks to junior QA) that new list experience simply ignores security bit setting on list. I did some tests and I can confirm this on SharePoint Online. Below, you can find full details and repro steps with code.

 

Can anyone contact Microsoft or push this issue higher? It's rather large critical.

 

Issue:

When using "New Lists Experience" user can recycle items, even without having rights to do so.

 

Repo steps:

1. Create Custom List, break roles; add few users as a contributors (for example user A, and user B)

2. Go to list settings, advances settings, set "Item Level Permissions" (so called security bits) to:

 - <check> Read All Items

 - <check> Create items and edit items that were created by the user

3. Create few items as User A

4. Login as User B, go to default list view

5. Make sure you are using new list experience

6. select item from User A

7. Click delete (confirm).

8. Item have been deleted sucessfully.

 

Detailed explanation:

New list experience is using REST API - sending a POST call to "/_api/web/GetFileByServerRelativePath(DecodedUrl=@a1)/recycle?@a1='/<relative_list_url>/<item_id>_.000'", which is clearly a file-recycle method. As far as I remember, you cannot specify security bits on document libraries, so method author didn't bother with security check...

I have checked following methods (APIs) and both of them return forbidden error:

JSOM - list.getItemById(15).recycle()

REST LIST API: _api/web/lists/GetByTitle('title')/items(15)/recycle()

 

Code with examples:

(just make sure to run it on chrome because i have used fat arrow operator; remember change SharePoint Online URL as well)

 

https://pastebin.com/rj25pjMw

 

Regards!

5 Replies
Highlighted

Seriously Microsoft? No one cares?

 

 

Highlighted

Almost 2 months have passed. Is there an update to this from either OP or Microsoft?

Highlighted
Has anyone filed a formal ticket? Either O365 or ideally premier?
Highlighted

Looks like it is fixed on our tenants.