Directory Assistance is Over-Protective
I have developed user management application for a customer which is also included in the server's directory assistance. The database uses some views I copied from the Domino Directory to enable it properly to be used in directory assistance. To keep things simple my person form is called "Person" and the field names are the same as in the DD's person form (e.g. FirstName, LastName, Type, ...).
The user management application also includes company documents and each company has one special user who is allowed to create and edit additional users for that company. Thus this user has author access in the database ACL with the right to create documents. Now whenever this special user edits a person document from either a web browser or the Notes client all the fields for which in the Domino Directory's Person form the security setting "must have at least Editor access to use" is set some random fields are treated as if this flag is set in my form as well (which of course isn't the case). They all get the "PROTECTED" flag set. This prevents the fields from being modified by an author user and thus prevents my special user from modifying the person documents. Bummer. I don't know yet how to solve this since the logical solution would be to rename the fields. But this again will probably prevent my application from working as a directory in directory assistance. Another way would be to copy the documents to a "real" Domino Directory but I hope I can avoid that overhead.
The good thing is - I am at Lotusphere where all the Domino developers are hanging around in the labs. I am going to go there later and hopefully I will get a good solution to my dilemma. Let's hope for the best.
First Update (26.01.2006)
I talked to Steve Leland about the problem and showed it to him. Him promised to look into this but of course could not fix it now. Since the application needs to be delivered in the very near future I will have to use a workaround. I will probably rename the fields and use a backend agent running with the server's rights to copy the edit fields to the actual fields after the WebQuerySave agent has run.
Second Update (06.02.2006)
I have tried several workarounds including a WebQuerySave agent not running as a web user which starts another agent (using the RunOnServer method) running on behalf of the server which removes the "protected" flags. I also tried to rename the (as I though then) critical fields like FirstName, LastName etc. but since it can affect any field on the form (no matter if they are editable or computed or computed when composed) I have run out of options. My only resolve now is to remove the database from directory assistance and write an agent to synchronize the person documents with a "real" domino directory.
I have searched the knowledge base and LDD but apparently nobody else ever encountered the problem (which is reproducable with any database which is included in directory assistance btw.).
Third Update (06.02.2006)
The problem now has been assigned an SPR number (SLED6LRN9K). I'll update this entry when I get any news on it.
Fourth Update (10.02.2006)
Excerpt from my mail to Steve Leland describing the issue in a bit more detail:
Tested on Servers:
- Domino 5.0.13a on Windows 2000
- Domino 6.5.3 on Windows 2000
- Domino 7.0 on Windows XP Professional (I know this is not a supported server OS, but it's a development server)
- Notes 5.0.11 on Win XP Prof
- Notes 6.5.4 on Win XP Prof
- Notes 7.0 on Win XP Prof
- IE 6 SP2
- Firefox 1.0.7
Steps to reproduce:
- Create a new database on a Domino server (select blank as template).
- Create a form in the database
- Create some fields on the form: at least one field of type Authors and at least one field with the same name as a field with the property "Must have at least Editor access to use" in a form (e.g. the Person form) in the Domino Directory (e.g. LastName, FirstName, Type, MailSystem, ...). The field you are creating must not have this property set.
- Include this database in the directory assistance of the server. It does not matter if or if not the necessary views for the Directory Assistance to actually work are present in the database.
- Make sure the database is actually included in the directory assistance (e.g. by looking at the "People & Groups" tab in the Domino Administrator client.
- Give a user or a group author access (with the "Create documents" permission for easier testing).
- Create some documents. Make sure that one or more users with Author access to the database are included in the Authors field to enable them to edit the documents. (It does not matter if the documents are created by a user with Author or with higher access.)
- Using a Notes ID with Author access to the database, edit the documents (for simplicity modify all field values and set the to the same value (except the authors field of course)) and save them. Alternatively use a web browser and the username and password of a user with Author access to the database.
- To verify the problem, open the documents and check if any values you modified in the previous step were not saved.
- Using the document properties box, look at these items. You should see "Field Flags: SUMMARY PROTECTED" for the items affected. This prevents users with Author access to the database from modifying the fields (saving modified field values).
Fifth Update (20.08.2006)
The SPR now has been filed and can be found in the knowledge base as technote #1237167 (see http://www.domblog.de/domblog.nsf/d6plinks/JPOR-6SUEWH).