In the past, the security context default was the server, and thus in certain situations the server identity would be used.
This issue was reported to Quality Engineering as SPR# KEMG6M9RAU. Starting with Lotus Domino releases 7.0.3 and 8.0, you will be able to control the security context with the notes.ini parameter Enforce_EffectiveUserRights_EvaluteCommand
This notes.ini parameter can be set to the value of 0 (Don't Enforce) or 1 (Enforce) to control whether the server context or user context is used. If this parameter is not set, then it will use the default for the specific version in use.
-- The default for Lotus Domino 7.0.3 is "Don't Enforce"
-- The default for Lotus Domino 8.0 (or higher) is "Enforce"
Refer to the Upgrade Central site for details on upgrading Notes/Domino.
Michael Gollmick of TIMETOACT Software & Consulting GmbH and Daniel Nashed of Nash!Com contacted IBM® Lotus® to report a potential LotusScript security vulnerability with Lotus Domino®. This issue has been fixed in Lotus Domino releases 7.0.3 and 8.0 with the use of a new notes.ini parameter.