Search This Blog

Thursday, May 29, 2014

Server agents with "Run as Web user" or "Run on behalf of" property enabled which run on NotesDocuments with READERS fields - IMPORTANT!

Hello guys

I think this will be interesting for you.

If you have a server agent with "Run as Web user" or "Run on behalf of" property enabled and it works with NotesDocuments which have READERS fields inside you always have to do additional validation against empty NotesDocument.Items property.

It is absolutely not obvious but it is a critical thing.

I'll show you.

1) I have created a test database with one simple form and added one Readers field on it.

2) Then I created three documents and put some values into all Readers field so all three documents have something in the field. Two documents have exactly the same list in READERS field and one document has additional member in its READERS field.

3) Then I created a following agent that takes all documents in database and display their count and a number of each document items

4) Let's run it and see what happens
We see that agent has got three documents and each of them have four fields - as expected.

5) Then let's set "Run on behalf of" property with the name of the user that I have used as additional member in READERS field of only one document.
6) Let's run agent again.
*Before you check the results I would like to ask you what do you expect the agent gets?
I would expect to get one document that is only accessible by the user set in  "Run on behalf of" property.
It is like something natively expected, like default behavior for Lotus Notes - if you are not a member of READERS field (explicitly or via group/role) then you can't see it - it simply does not exist for you.
However what I see

So as you see I received collection that contained all three documents, even those which the user from "Run on behalf of" property did not have access to. However those two documents did not let the agent rich any of its fields that is correct from security standpoint.

It works in the same way for "Run as Web user" property enabled, if you are trying to use FT-Search or trigger agent from Web and so on.

So, do not forget to check if not isempty(doc.items) then ....

No comments:

Post a Comment