Jun 05 2017 10:18 PM
We recently found out (thanks to junior QA) that new list experience simply ignores security bit setting on list. I did some tests and I can confirm this on SharePoint Online. Below, you can find full details and repro steps with code.
Can anyone contact Microsoft or push this issue higher? It's rather large critical.
Issue:
When using "New Lists Experience" user can recycle items, even without having rights to do so.
Repo steps:
1. Create Custom List, break roles; add few users as a contributors (for example user A, and user B)
2. Go to list settings, advances settings, set "Item Level Permissions" (so called security bits) to:
- <check> Read All Items
- <check> Create items and edit items that were created by the user
3. Create few items as User A
4. Login as User B, go to default list view
5. Make sure you are using new list experience
6. select item from User A
7. Click delete (confirm).
8. Item have been deleted sucessfully.
Detailed explanation:
New list experience is using REST API - sending a POST call to "/_api/web/GetFileByServerRelativePath(DecodedUrl=@a1)/recycle?@a1='/<relative_list_url>/<item_id>_.000'", which is clearly a file-recycle method. As far as I remember, you cannot specify security bits on document libraries, so method author didn't bother with security check...
I have checked following methods (APIs) and both of them return forbidden error:
JSOM - list.getItemById(15).recycle()
REST LIST API: _api/web/lists/GetByTitle('title')/items(15)/recycle()
Code with examples:
(just make sure to run it on chrome because i have used fat arrow operator; remember change SharePoint Online URL as well)
Regards!
Jun 05 2017 11:14 PM
Adding @Dan Holme @Chris McNulty
Jun 14 2017 04:51 AM - edited Jun 14 2017 05:44 AM
Jun 14 2017 04:51 AM - edited Jun 14 2017 05:44 AM
Seriously Microsoft? No one cares?
Aug 10 2017 12:08 AM
Almost 2 months have passed. Is there an update to this from either OP or Microsoft?
Aug 12 2017 12:14 PM
Nov 16 2017 09:29 AM
Looks like it is fixed on our tenants.