Problem:
Very often I use customized “Edit item”, “New Item” and “Display Item” pages (for example to hide certain fields I don’t want editable from a form). The problem is whenever users have contribute access to the list or library and customized form pages are used users are also able to edit the form page. This can often defeat the purpose of hiding or disabling certain fields using custom forms.
Solution:
One way to prevent users from being able to edit new/edit/display item pages is to hide the Site Actions menu so they can’t access the “Edit Page” option. This can be easily achieved by using CSS to hide the control. There is a problem with this approach though – the page can still be edited by appending the “?PageView=Shared&ToolPaneView=2” string to the URL of the page.
A more robust way of preventing users from editing SharePoint form pages is to hide the whole object (ms-SPZone) that displays webparts in edit mode.
Have a look at the screenshots below:
The above screenshots shows a new Holiday Request item page in edit mode. You can see a content editor web part (containing Page description and instructions on submitting a new holiday request), Holiday Register list view web part (displays user’s holiday allotment, days taken and remaining) and the default list form web part (hidden from regular view). The screenshot does not include my custom new form web part lower on the page.
As you can see the edit view of the page would allow a user to modify the page – for example hide or show some web parts, change their position or even change a view (for example, in this case change the view for the holiday register list to display holiday information for all users).
Now the same page with hidden .ms-SPZone
As you can see the only element displayed in edit mode is my customized new item form. All the previously-mentioned remaining web parts (page description, holiday register, default item form) are not displayed and, therefore, cannot be moved, shown, hidden or modified. What displays instead is the “Main” tag (the PlaceHolderMain object).
So how do you prevent users from editing your form pages? Again, the solution is using a snippet of .CSS code a placing it on the page (e.g. using a CEWP). The code you want to add to your page is:
<style type="text/css">
.ms-SPZone {display:none;}
</style>
This “disables” the edit page functionality.
Note that while the above code will keep most of your users away it’s not really a completely secure solution – advanced users with knowledge of Sharepoint and web design can open the page using FireBug or IE developer toolbar, poke through the code and overwrite the CSS code.
Filed under: Security, Sharepoint Designer
