0

For an xpage-application with java beans i need to check if a certain user(not current user) has reader-access to a document. All acceslevels above (Database ACL, XPage ACL...) can be taken for granted. Current User is always at least author.

Each document has one readerfield "readers" and three authorfields "creator","authors","AdminAuthor", last can be ignored,since it always only contains "[Admin]" for every document

Current idea is to get the groups of the user like showed here(Determine all groups for a defined user), loop through them and compare to the reader and author fields field content

Why i don't like it:

  • use of an undocumented API
  • horrible performance

Is there any better way to do so? Especially with nested groups in mind, so $ServerAccess view is not really an option.

Current code:

 public boolean isReader(String notesName, String documentID){
    try {
        Vector<String> readers= getAllReaderFieldsValues(documentID);
        if(readers.contains(notesName)){
            return true;
        }
        lotus.notes.addins.DominoServer server = new lotus.notes.addins.DominoServer(DominoUtils.getCurrentSession().getServerName());
        for(String group:(Vector<String>)server.getNamesList(notesName)){
            if (readers.contains(group)){
                return true;
            }
        }
    } catch (NotesException e) {
        //ErrorHandling
    }
    return false;
}

Thanks for any help

J Mers
  • 67
  • 6

1 Answers1

1

There are different ways to check if a user has access to a document, but all of these are undocumented (but still useable since a decade), so they won't fit your requirements (i.e. running in a different user context or a special view with a "$C1$" column, ...)

A "documented" way to do what you want is just to add a user to a reader field, if his name is not already in the list. There is no need to check if the user has access or not.

I still wondering about your scenario, because I don't understand what you are trying to realize: You are checking if a user is in a specific group which gives him access to a document. If the user is in one of these groups, you skip his name. In the meantime, the user is removed from the group, and has no longer access to the document...

Why not working with groups or roles? No coding, just administration. Are you fixing organizational problems?

Sven Hasselbach
  • 10,455
  • 1
  • 18
  • 26
  • scenario is the following: if a user is granted reader-rights to a response-document, he should be able to see all parent documents above. Since the readerfields are displayed to the user for information and editing, i don't want to make it a clusterfuck by creating duplicate or non nessesary entries(e.g user is already deep down somewhere in a nested group->no need to add him) – J Mers Jan 22 '19 at 10:22
  • 1
    On Monday, the user is in one of the nested groups, the document is saved, the user is not explicitly added. On Tuesday, his name is removed from the group. On Wednesday he cannot access the document anymore... Now comes the question: How do you know if he still need to have access or not? (In my eyes, you now have a clusterf**k) – Sven Hasselbach Jan 22 '19 at 10:30
  • And last but not least: You have to check the documents over and over again if the access rights are still correct or not (if you use the information from the response documents) – Sven Hasselbach Jan 22 '19 at 10:45
  • good points, might have to rethink my design and the necessity/use of this function. Thanks – J Mers Jan 22 '19 at 10:58
  • If I understand it correctly, parentdocuments need to contain all readers from the responses below. What you can do is build an array of all authors and readers from the response documents and put this in a reader field on the parent (best create an array of unique values). It won't matter if the list contains usernames, groups or roles. You'll have to recalculate regularly however (at least each time a response has changed) to make sure it keeps working. – Tom Van Aken Feb 21 '19 at 16:09