1

I would like to restrict some functions in a user written server add-in for certain users or groups.

Question: Is it possible to get (via an API) the user name who is sending a "Tell" command from a remotely connected server console?

Example:

  • Tell AddinName Command (issued remotely by Hotline User)
  • Tell AddinName Command (issued remotely by Admin User)

The remote console (and therefore the "Tell" command) is available to both users, but a subset of commands should only be allowed to authorised users (e.g. Group in Server Document->Security).

  • Is the user name (entering the "Tell" command) available (e.g. in the MessageQueue)?
  • I know that internally in Domino there are already some restriction possible to commands issued at the console.
  • The session.getCommonUserName() always returns the server name (since the add-in runs in context of the server).

Thanks for any pointer or ideas.

Andy

Andy Brunner
  • 133
  • 3
  • 12

1 Answers1

2

I believe that the answer to this is no, and it would not be advisable to implement tell commands that you can't trust to all authorized administrators.

If you really do need to confirm a user identity for a command, you're going to need to use database to queue the commands. I.e., you could build an application that stores the commands in documents in a database with a restricted ACL. Your addin code can use an Extension Manager hook to monitor the database for changes and read new documents when they appear, or you could have your application use NotesSession.SendConsoleCommand to issue something like 'tell myAddIn process ' to wake up your addin and give it the noteid of the document it just created. If you need to protect against people with full access admin rights overriding the ACL, your application could digitally sign the documents and your addin could verify the signatures.

Richard Schwartz
  • 14,463
  • 2
  • 23
  • 41