Notes.ini Entry



Name:

    Enforce_EffectiveUserRights_EvaluteCommand

Syntax

    Enforce_EffectiveUserRights_EvaluteCommand=0 / 1

Applies to:

    Workstations

Add-on:


    First Release:

      6.5.6

    Obsolete since:


      Category:

        Access

      Default:

        None

      UI equivalent:

        None

      Description:
      When using the Evaluate LotusScript method in conjunction with specific @ formula commands to design views and agents, it was found that unexpected results could be returned. In specific situations, the view or agent could return information of which the user normally would not be able to access. These results are dependent on how the view or agent is written, and which identify (server or user) is being used to execute the view or agent.

      In the past, the security context default was the server, and thus in certain situations the server identity would be used.

      This issue was reported to Quality Engineering as SPR# KEMG6M9RAU. Starting with Lotus Domino releases 7.0.3 and 8.0, you will be able to control the security context with the notes.ini parameter Enforce_EffectiveUserRights_EvaluteCommand

      This notes.ini parameter can be set to the value of 0 (Don't Enforce) or 1 (Enforce) to control whether the server context or user context is used. If this parameter is not set, then it will use the default for the specific version in use.

      -- The default for Lotus Domino 7.0.3 is "Don't Enforce"

      -- The default for Lotus Domino 8.0 (or higher) is "Enforce"

      Refer to the Upgrade Central site for details on upgrading Notes/Domino.

      Michael Gollmick of TIMETOACT Software & Consulting GmbH and Daniel Nashed of Nash!Com contacted IBM® Lotus® to report a potential LotusScript security vulnerability with Lotus Domino®. This issue has been fixed in Lotus Domino releases 7.0.3 and 8.0 with the use of a new notes.ini parameter.