SECURITY ALERT? Readers names fields not working as expected in R6 address book template

HCL Domino Domino Forum
1

I just ran into something which seems to be an interesting security (or documentation?) issue in R6.

The problem:

Readers names fields set in a database based on the personal NAB template seem not to work properly / as intended.

The situation:

Using an R6 client and an R5 server I have created a database based on the R6 personal NAB template and a Lotusscript agent which sets readers fields on documents (I did this a hundred times before, and this agents works as intended).

However, after setting reader names on the documents, users who are NOT included in the reader names field still have access to the document.

Then, I put a readers names field into the form, manually edited a document through this form and set my name into this field. After saving, any other user still can read the document.

Finally, I have changed the readers list in the security tab on the document properties. This however worked immediately and actually restricted document access.

I examined the issue further and found the following:

  • fields created through LS or manually get flagged as SUMMARY READ ACCESS NAMES. This should normally do the job, but doesn’t in this case.

  • however, the $READERS field set through document properties revealed to be SIGN SUMMARY READ ACCESS NAMES

Now, I changed my LS agent to additionally SIGN the field - and things were working.

To crosscheck things I created a new database from scratch on each an R5 and an R6 server (from the respective clients). Again, my agent did exactly what I had expected, and users could only see the documents they were intended to see - without (!) signing the field. The agent-set fields were SUMMARY READ ACCESS NAMES, $Readers set through document properties again was SIGN SUMMARY READ ACCESS NAMES.

Now I know how to work around this issue, BUT:

  • is there any one out there who can explain WHAT actually happens or whether there is some bug in the personal NAB template?

  • what about all those people who use personal NAB-based databases as secondary addressbooks and who upgrade to R6? Will they have an issue that possible read-access fields suddenly don’t work anymore, revealing documents to people who shouldn’t access them?

Sounds all pretty interesting …

Stephan Holowaty

mailto:stephan.holowaty@holowaty.de

2

Subject: SECURITY ALERT?? Readers names fields not working as expected in R6 address book template

One thing is not quite clear to me: are you setting the $Readers field through your agent as well, or an other Readers field ?

cheers,

Tom

3

Subject: SECURITY ALERT?? The agent sets a field with another name …

The agent sets a field with another name