But the confusing part is same user can add some other Web Parts like List View Web Parts without having this issue. Behind this behavior there is a logic to make these web part secured against the cross site scripting attacks.
Now we have a permission with the name Add and Customize Page.
This permission is not granted by default to the Contributor permission level. If we add this permission to the permission level users having contributor permission level will be able to add any web part to the page. This permission is given by default to Designer group. If these Web Parts are already added to the page and if the Contributor can only edit some of the properties.
There is another side of this story as well. If we dont want to give this permission to the contributors but still want that they should be able to add the web parts which were not allowed by default, we need to make a change in the Web.Config File. There is a new parameter introduced with the Safe Control entry with the name "Safe". This parameter decides which web parts are SAFE to be added by the people who dont have the Add and Customize Page permission. For any web part if we set this property to be False then the people not having Add and Customize Page permission will not be able to add this web part on the Web Part Page inspite they are the contributor.
I will change this property to Content by Query Web Part as below to false.
<SafeControl Assembly="Microsoft.SharePoint.Publishing, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" Namespace="Microsoft.SharePoint.Publishing.WebControls" TypeName="ContentByQueryWebPart" Safe="false" AllowRemoteDesigner="True" SafeAgainstScript="True" />Earlier when the Safe flag was set to True contributors were able to add this web part without any issue. Now if they try to add this web part they will get the following error (A Web Part of Web Form Control on this Page cannot be displayed or imported. The type is not registered as safe):
So if you want that contributors in your site should be able to add all the web parts we can change the value for this property.
1 comment:
the issue i see here is the contributor will now be able to execute client side script on the page, including the new client OM in 2010... so in effect, they can write some malicious code, send the link to someone who has access and cause some damage.. no?
Post a Comment