A few weeks ago we hit a blocker in one of our projects. We were trying to configure the root site collection of a tenant in terms of uploading a custom page layout. Every time we tried we got “Sorry, you don’t have access to this page”

When you see something like this as a site collection admin, at least it’s odd. After playing around with setting the permissions again and double check die administrator rights we started searching the net for help. We came around some blogs that told us to delete the site collection and start all over again. We hadn’t done much yet so no problem, but it was the root site collection and this one indeed is special. After discussing the topic we decided to play it safe and ask support for help because recreating the root site of a tenant sounds not right.

Today the ticket got finally back to me and I had the chance to work with the support person on this topic. It took him literally two seconds to point me in the right direction. We had to change the following setting:

This allows users to run a custom script in the site collections. We also set it for the given site collection with a special powershell command (Set-SPOsite <SiteURL> -DenyAddAndCustomizePages 0) and boom it worked.

I was kind in a hurry, so just wrapped the call up with the support agent and off he was and I was a happy customer.

Later today I had a few minutes to reflect upon this case and something felt wrong. It’s just, why wasn’t this a problem at any other site? Why only the root site? What has a custom script permission to do with preventing a site collection admin from uploading a file to the master page gallery?

So I started reading the help link next to the “custom script” setting in the O365 admin centre. Turns out that this feature is activated by default on the root site collection for security reasons. Basically, it only allows a site owner to upload artefacts to the master page gallery. Every other site collection we tried was indeed created by our user, so this setting didn’t apply.

To quote the page: “The ability to add custom script to sites and pages is controlled by the Add and Customize Pages permission. While the global admin, can specify which users and groups are granted this permission, anyone who creates personal sites and team sites is by default, a site owner. A site owner can add any script they want to the pages on that site.” https://support.office.com/en-us/article/Turn-scripting-capabilities-on-or-off-1f2c515f-5d7e-448a-9fd7-835da935584f

I like the reason, don’t get me wrong, I really do. But in terms of a permission concept and also in terms of proper error messages this just feels like unfinished work. I have some issues with this approach:

1.) I’m connected as a global admin with site collection admin rights, I can do much worse than uploading some bad code to the master page gallery. I have trillion other ways to break the thing, why blocking me here?

2.) If the code block that stops my upload would be designed to also check if the current user is a site collection admin, it could point me directly to this setting, because it’s the only other reason why I shouldn’t be allowed to do this.

3.) I have to activate a setting that says “Allow users to run custom script on personal sites” and “Allow users to run run custom script on self-service sites” to be able to upload a file to the master page gallery as a site collection admin. I know the link next to the settings describes that the root site collection is special, but in no way you can guess this from the description and wording here. You have to know this stuff or in other words you probably need to hit this at least once in your SharePoint life…

 

To wrap it up, I hope this article helps anyone hitting the same issue and yes I do think there is some room left for improvement.