There are a couple of approaches you can take here. I'm going to assume that there's a role in your database ACL called [Editor], and that any users who are in that role may edit the entire document, while other users may only add attachments.
The most straightforward way is always to open the form in edit mode, and give all users access to edit the documents, but only [Editor] users may edit fields other than the file attachment control. This can be done with hide formulas that test @UserRoles = "[Editor]" to decide whether to show editable fields or display-only fields, or with a controlled-access section that uses the role name as its editor formula. Note: If you use hide formulas, for best performance create a CFD number field named IsEditor and put the above formula in there. Your hide formulas can refer to this field; that way you only have to evaluate the expensive @UserRoles function once.
If you need better security, use a computed Authors field (formula: "[Editor]") to absolutely control access to the document, and use pass-thru HTML to add a <FORM> with the file attachment control in it. Make the submit URL of the form a ...SomeOtherForm?CreateDocument. Include (via passthru) a hidden field that contains the UNID of the containing read-only document. Add a WebQuerySave agent to SomeOtherForm; make it run with the server's access. The agent would use the UNID to find the read-only document, then copy the attachment over and use Print to generate HTML that'll redisplay the read-only document. It might not be worth the trouble, depending how worried you are about people trying to break security.
Do you have comments on this Ask the Expert Q&A? Let us know.
Dig Deeper on Development Security for Lotus Notes Domino
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.