Lotus Notes Domino - Public Access use in web applications

Steve Castledine  28 May 2008 08:41:42

We were having a discussion yesterday about "public access/public documents" and the use of in web applications on Lotus Domino.


Firstly a bit of information on "public access". Put in very basic terms, its original need was for the mail template to create a "two tier" access system. Because it was a requirement to let people into your mail database to access your calendar etc, but deny access to your email this second tier was created - "public documents". This "access type" has two levels "read" and "write".

So if someone is granted "Read public documents" access to your application they can access all design elements marked "public access". So if a document has been created with a "public access" form and an associated view has "public access" set then they can see this data even if they have "No Access" to your application.

The second level of access is "Write public documents". This allows you to "create" data in the application that you may have No Access to, again using design elements marked as "public access". Because this level also allows you to edit/delete "any" public document (whether you created it or not and whether you have delete rights or not) I don't believe this is safe to use on the web. So what can you achieve with "public access" on the web that you couldn't with standard ACL control?

So this leads me to my main question(s), what are people's uses for web applications with "public access documents" and were they aware of the security implications? Maybe people can even correct me - maybe I have this all wrong? Wouldn't be the first time (or the last) and I love to learn.

• Comments [10]