Controlling Users Browsing thru Domino Apps

Unexpected / unauthorized use of views

If a user can see the name of a Notes view in a URL, they can use the view much like they would with a Notes client. This is true even if the designer of the database never intended for Web users to use the view that way. The designer can prevent this effect by creating a simple $$ViewTemplate for the view with no $$ViewBody field. That same ViewTemplate can be used to prevent access to several different views simply by adding aliases to the view name (each alias should be separated with a vertical bar "|").

Example:
If you see this URL in a Domino application:

http://gasupply.doas.state.ga.us/apps/gss/supply.nsf/lookup/logo/$file/logo.gif

a user can insert "?OpenView" after the name of the view, like:

http://gasupply.doas.state.ga.us/apps/gss/supply.nsf/lookup/?OpenView

thus giving them possibly unexpected access to the database. That's not so bad if the view only contains images. It could be much worse if the view contains all documents in the database.

This was first published in November 2000

Dig deeper on Domino Resources - Part 3

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchWindowsServer

Search400

  • iSeries tutorials

    Search400.com's tutorials provide in-depth information on the iSeries. Our iSeries tutorials address areas you need to know about...

  • V6R1 upgrade planning checklist

    When upgrading to V6R1, make sure your software will be supported, your programs will function and the correct PTFs have been ...

  • Connecting multiple iSeries systems through DDM

    Working with databases over multiple iSeries systems can be simple when remotely connecting logical partitions with distributed ...

SearchEnterpriseLinux

SearchDataCenter

SearchExchange

SearchContentManagement

Close