Autor Thema: ?ReadViewEntries verhindern  (Gelesen 3221 mal)

Offline machineslave

  • Senior Mitglied
  • ****
  • Beiträge: 328
  • Geschlecht: Männlich
?ReadViewEntries verhindern
« am: 26.09.06 - 15:46:29 »

kann man ?ReadViewEntries auf eine Ansicht im Browser irgendwie verhindern? (Ich meine unabhängig von den Zugriffsrechten)



Das Leben ist ein Scheiß Spiel, aber die Grafik ist geil


  • Gast
Re: ?ReadViewEntries verhindern
« Antwort #1 am: 27.09.06 - 10:30:17 »
Das geht leider nicht:

You are concerned of possible security implications when Web users execute a URL with ?ReadViewEntries, similar to the following:


Can you disable this command on the server?

No, there is no way to disable this command on the Domino server.  An enhancement request for this new functionality has been submitted to Lotus Software Quality Engineering; however, there are no plans to address it in the currently supported Domino product series.

As noted in the Domino Designer Help, this command returns only the documents a user is allowed to access.  Therefore, setting proper Access Control Lists (ACL) on your databases will prevent users from seeing any information you wish to restrict, even if they use the ?ReadViewEntries command.

Supporting Information:

The ReadViewEntries command returns an XML listing of documents within a view.  It can be used by client-side Java applets to make use of documents in the database.  It is possible to use Redirection Mapping documents to redirect browser requests that use the ?ReadViewEntries command.  However, the redirect may prevent certain Java applets from working correctly.  Therefore, the best practice is to use ACLs to restrict access.


  • Gast
Re: ?ReadViewEntries verhindern
« Antwort #2 am: 27.09.06 - 10:31:23 »

Do XML commands such as ?ReadEntries and ?ReadViewEntries represent a security risk?

No.  Documents are protected by ACLs and this applies when using the XML commands as well.

It is important for developers and administrators to understand the Domino Security Model and apply the features appropriately, based on the security needs of the data contained within the application.  Documents within a database are first controlled by access to the database itself.  If documents within the database need to be further restricted, then reader names controls should be used to protect the data at the document level. This is the correct usage of the Domino security model. Web site designers should always use the true Domino security features to safeguard data. Designers should never attempt to hide sensitive data by using obscure view names, hide-when formulas in forms, or other pure design features, as there may be alternate paths for a Web user to get at the data.

If the Domino security model is applied correctly to a database, the XML commands, ?ReadEntries, ?ReadViewEntries and ?ReadForm, do not represent any kind of a security risk.

For more information on properly securing your Domino applications and environment, please refer to the following resources:

Designing a Secure Domino App

Lotus Security Handbook Redbook

Lotus Notes and Domino R5.0 Security Infrastructure Revealed


Impressum  -  Powered by Syslords Solutions  -  Datenschutz