Differences in Security Between Custom Lists and Form Libraries

Folks,

Some of you may notice at some point that you can have nice granularity of security settings in WSS/Portal on custom lists.   If you look you'll see that you can you allow people to add items but not delete, not see other's people's postings, etc.   What may seem odd to you is that the same level of granularity is not afforded document or form libraries.   There you will see that the security is much more spartan, either you have the ability to post something to a library or you don't.   And if you do, you have full privileges to everything there.  So that creates a level of ogida (philly word for heartburn) with people that are trying to use form libraries and InfoPath to allow people to post content but not edit it once it's there nor view other people's postings.   It's no secret that we don't have item level security on document libraries in WSS, and that creates a barrier for some solutions.   I did some research and bugging of people on the products teams and found out that custom lists got special treatment due to the need to accommodate surveys.   You'll note it's very easy to post a survey in WSS, and in order for surveys to make sense, you've got to be able to lock out people from viewing each other's data.   The guys responsible for surveys had to fight to get this in the product, and the folks responsible for the libraries didn't go to bat for it and didn't get it.   Unfortunately this didn't make the cut for v.3 of WSS either - I checked.   That's too bad, but at least we'll have item-level security in WSS which will provide the same effect, it'll just be more work.   The way I've seen this handled is either to do some business rules or views in the forms to prevent the submit button from working or having different behaviors based on the status of the form, or dealing programmatically with form libraries and doing automatically moving of postings from one library with one set of permissions to another library with a different set of permissions using some kind of event handler.   I don't have any code snippets on that but if there is demand maybe I'll post something somewhere down the line.