Tuesday, 10 April 2007

Domino Web Clients and Attachments

So, I did some investigation today as to whether an authenticated domino web user still has access to attachments in documents that they have no access to. The easy answer would be no, but from what I’ve found, it seems that yes, the user may still have access to it.

There is documentation on the IBM website that brings up the entire web client and attachment access, you can read it here: http://www-1.ibm.com/support/docview.wss?uid=swg21085155

It discusses the $v2AttachmentOption internal field that exists in Domino 4.6 an later.

I’ve followed their instructions, but found that as long as I had the exact URL of the attachment, I could still access the attachment, even though I didn’t have access to the document the attachment belongs to.

It turns out, that although it wasn't stated, $V2Attachment Option isn't a security measure, but simply one to hide the attachment on a web document.

No comments:

Post a Comment