This forum is closed to new posts and
responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:
~Zelda Quetnukonyflar 30.Jul.03 07:33 PM a Web browser Domino Server6.0.1Windows 2000; Linux - RedHat
When running an agent triggered by a web user, which properties specify that it should run with the "web user identity", the agent returns more data than it should.
To be more specific, the signer of the agent is a user with full rights for running "Unrestricted Lotus Script and Java Agents", he also is the BD Manager for the BD where the agent is running and has role based access to all documents in the database. On the other hand, the web user has no rights to run unrestricted agents nor he has ulimited access to documents in the batabase.
As I understand from the documentation, a server based agent triggered by a web user runs with the programatic rights of the signer, but with the ACL rights of the effective user, which in this case is the web user who triggered it via HTTP. The problem is that this agent returns data (documents) to which the effective user has no access, based on the Readers and Authors fields on each document.
Return to top
Security problem with Web Agents (~Zelda Quetnuko... 30.Jul.03)
. . 
Print this page
