forge

Preventing users from using the UI to manage web parts

There has been a fair amount of talk lately about how any web part page in SharePoint — including many pages like list pages that people don’t think are web part pages — can have the web parts manipulated by simply adding parameters to the query string.  Those parameters cause the ToolPartPane to appear even if there was no administrative control on the page to cause it to appear.

This is true of the existing pages, but you can create your own site definition that doesn’t allow users to use the user interface to modify the web part placement or even add new items to the web part zone.  The WebPartZone class (and consequently the WebPartZone tag) support three interesting attributes/properties…

Help Your SharePoint User
  • AllowCustomization – Indicates whether customization is allowed or not.
  • AllowPersonalization – Indicates whether personalization is allowed or not
  • LockLayout – Indicates whether the layout of the zone is fixed — and can not be edited.

Quick testing shows that AllowCustomization must be set to true and LockLayout must be set to false for SharePoint to even show the web part zone in design mode.  Further investigation has shown that using the web services calls to modify web parts in the web part zone still seems to work — and editing the page in front page including web part placement still seems to work as well.  In other words, it’s possible to prevent users from modifying web parts in special zones, like navigation, while retaining the ability to control web parts in these special zones via code.