As a site owner, I set permissions for "access" to be "read" but nothing else. (In fact, this is the default.) A user who is "access" is able to add items and remove them. This seems to be a bug. The user should only be able to do what permissions allow. Some faculty want to be able to give students read and new, but not delete. That way they can't put a document in the drop box and later delete or replace it. I believe it would make sense to default permissions to read, new, revise and delete, but if you clear one that should be implemented.