IBM Support

LO85596: RENAMED USER CAN ACCESS DOCUMENTS IN DATABASE WITH $READERS FIELD WHEN OPTION DO NOT MODIFY NAMES FIELDS IS SELECTED

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as user error.

Error description

  • Renamed user can access documents in database with $Readers
field when option Do not modify Names Fields is selected

Unexpected behaviour :

 When renaming user  on a database ( in which it is selected in
the ACL> Advanced the option " Do Not Modify Names Fields" the
user that is included in a $Readers field in a document of the
database, still can access to the document after being renamed
even when the old name is the one included in the $readers list
field and the new name is not selected in the $Readers field of
the document.  User has Editor access in the ACL of the database

The expected behaviour is  that the user with the new name
should not be able to read that document.

In Administration Help Manual it is indicated :

http://www-12.lotus.com/ldd/doc/domino_notes/9.0/help9_admin.nsf
/b3266a3c17f9bb7085256b870069c0a9/88a079b9f960161085257b19005b4b
33?OpenDocument

Author
Note: Author access, by default, does not include the access
level option "Create documents." When you assign Author access
to a user or server, you must also specify the "Create
documents" access level privilege.

Allows users to:
Create documents
Edit the documents where there is an Authors field in the
document and the user is specified in the Authors field
Read all documents unless there is a Readers field in the form


STEPS to reproduce the issue

1. Install domino 901FP2
2. Register a Test User: "Test User01/ACME"
3. Create a blank database: "testdb.nsf"
4. In the ACL of this sample database "testdb.nsf" , set the
permission as :
Default=No Access
Anonymous = No Access
"Test User01/ACME" = Editor
 In the Advanced section of the database ACL >Action> Select "
"Do not modify Names fields"
5. In the "testdb.nsf" create a form with a plain text field
6. Create a document in the "testdb.nsf" using the earlier form
7. Open the Document Properties> select the fourth tab> Security
7.a On the section "Who can read this document"
Uncheck the option " All readers and above"
7.b Select (placing a check mark next to each) from the list of
readers that you wish to access a document. Therefore make sure
that their is a check mark beside the "Test User01/ACME"

8. Log as  "Test User01/ACME" and verify that the user "Test
User01/ACME" can read the document.
9. Rename the user from

Old name: "Test User01/ACME"
to
New name "Test User012/ACME"

10 . Make sure that in admin4.nsf the rename is completed
successfully

11. Loging as renamed user "Test User012/ACME" The user still
can access the document even when there is no check mark beside
the new name "Test User012/ACME" on the Document Properties

Customer is expecting that if they chose not to modify name
fields in a database, That the user with the new name should
not be allowed to access the database with the new name. This
issue could cause a security access by users gaining access to
documents that are not allowed for them after rename.


In the "Who can read this document"
 " All readers and above"

You can see that in the document properties > In the "Who can
read this document"" All readers and above"
The old name "Test User01/ACME" has check mark
also the new name "Test User012/ACME" has being inlcuded
without check mark


Field Name: $Readers
Data Type: Text List
Data Length: 119 bytes
Seq Num: 6
Dup Item ID: 0
Field Flags: SIGN SUMMARY READ-ACCESS

"CN=servername/O=ACME"
"OtherDomainServers"
"LocalDomainServers"
"CN=User Administrator/O=ACME"
"CN=Test User01/O=ACME"

NOTE: The same behaviour is experienced if instead of using a
blank database it is used a test database created from the
discussion template StdR9Discussion


Title:  Readers fields versus $Readers fields and how to
populate them with multiple names
Doc #:  1093049
URL:    http://www.ibm.com/support/docview.wss?uid=swg21093049

Local fix

  • Remove from
document properties > In the "Who can
read this document"" All readers and above"
The old name "Test User01/ACME"

Problem summary

  • 



Problem conclusion


    

  • 



Temporary fix


    

  • 



Comments


    

  • This APAR is associated with SPR# BBSZ9Y8FYA.
The problem was caused by a user error or user misunderstanding.

    



APAR Information




    

  • APAR number
    LO85596
    • 

  • Reported component name
    NOTES CLIENT
    • 

  • Reported component ID
    5724E6255
    • 

  • Reported release
    900
    • 

  • Status
    CLOSED  USE
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2015-07-08
    • 

  • Closed date
    2015-07-17
    • 

  • Last modified date
    2015-07-17
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU055","label":"Cognitive Applications"},"Product":{"code":"SSKTWP","label":"Lotus Notes"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Edition":"","Line of Business":{"code":"","label":""}}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            17 July 2015
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback