Updating Domino Form as Anonymous user

I am trying to build a double-opt in system for a marketing newsletter.

So far I have built an HTML form that when submitted, the contents ends up as a document in a Notes database.

Once the document is submitted, an agent runs, emailing the person who submitted the document, with a link to the document in the Notes database.

The link is in the format : http://www.acme.com/547895489345789789379/5438539083490534905/32892348902339 http://www.acme.com/547895489345789789379/5438539083490534905/32892348902339

What I want to do at this point is 2 things :

1. Update the document as an Anonymous user using a button / hotspot, which modifies a hidden field on the document to “Completed”

2. Modify the Unique ID of the document, so that once the document has updated, it is no longer available via the Webpage.

So far, I have managed to do stage 1 of above, using ?editdocument on the end of the URL and then updating the document via a button and saving.

However, in order for that to work, Anonymous requires Editor access in the ACL, which is not workable.

Does anyone have any suggestions on how I could achieve the above ?

Many thanks.

Subject: Re: Right, I missed that point. Readers can’t create documents of course. But…

Thank you all for your help.

Subject: Re: What if you grant Reader access to Anonymous?

Thanks Jochen.

Unfortunately, giving Anonymous, Reader access, doesn’t work.

I have created an HTML form, which when submitted, creates a document in the Domino database. If I set Anonymous as depositor, then the form is submitted and is accessible via the automated email link, until I use the $PublicAccess flag you suggested.

If I set Anonymous to Reader, it prompts for Username and Password when trying to submit the initial HTML document to the Domino database.

Maybe I will just stick with Depositor access.

Subject: Right, I missed that point. Readers can’t create documents of course. But…

…you could grant Author access to Anonymous

• protect documents from unwanted access by Readers fields
• protect forms from unwanted access by means of Form properties > Security tab

Or go with Carl’s suggestion and use an agent to modify forms submitted by anonymous users.

Subject: Re: $PublicAccess

I tried the $PublicAccess route and it does exactly what I want.

The only downside, is that once the $PublicAccess is set to 0, then clicking on the link takes to you to the Domino Login prompt, which I was trying to avoid.

Subject: What if you grant Reader access to Anonymous?

You could complement the $PublicAccess route, as you put it, by granting Reader access to Anonymous. That way you’d get rid of the Login prompt, even when $PublicAccess is no longer present or has a value other than “1”.

To minimize potential vulnerabilities, protect any documents you do not want Anonymous to see by adding a Readers field that contains names of, or roles assigned to, authorized people.

EDIT: If you use a Readers field, make sure it contains also the server name(s).

Subject: $PublicAccess

You could add a field named $PublicAccess having a value of “1” to the document. It is then sufficient to grant access level ‘No access’ + optional privileges ‘Read public documents’ and ‘Write public documents’ to Anonymous.
To hide the documents from users once they have completed and submitted the form, simply remove the $PublicAccess field.

Subject: Any other options ?

Are there any other ways of doing what I suggest ?

Subject: Why don’t you just call an agent that does the updating?

Pass the agent the details in the completed form. Or save the form as a new document, and in the post query save the agent code updates the document etc.

Subject: sessionAsSigner

You want to investigate sessionAsSigner which will run code as the signer. I used it in a managed bean but there are other examples out there.