Xpages ACL validation from the XSP document level

0
votes

Is it possible to validate the Xpage's ACL depending on the Source document's field value.

We need to make the Authors & Readers ability at XPage level (as per requirement I am not supposed to use the ROLES, since, it is dependent on each individual Authors which is stored in backend document FIELD).

Kindly suggest the approach, as I am not even looking HideWhen for the Buttons(edit,save etc)

Example code in the ACLEntry[0] in Xpage:

if getComponent("inputText1").getValue()  == sessionScope.user { 
    session.getEffectiveUserName();
} else {
  return false;
}

Thanks.

3
xpageslotus-notesxpages-extlibxpages-ssjs
If the user does not have Reader access, the XPage will not display values from that Notes document, since it cannot read it. Similarly, if the user does not have Author rights to the document, XPages cannot write back to the Notes document. So, the security model plays through and I'm not sure what you need if not Hide-Whens (visible/rendered).David Navarre

3 Answers

3
votes

I do not quite understand your code on that property...

To query the readers/authors level at XPage level I suggest to use the database.queryAccess method (http://www-10.lotus.com/ldd/ddwiki.nsf/dx/NotesDatabase_sample_JavaScript_code_for_XPages?opendocument&comments#queryAccess) You try to compare the username only. This may fail if your access level is computed by a membership in a group where your username is not relevant.

XPages' ACL depends on the database ACL, so you have to setup the levels there - the XPages' ACL is in addition to the "real" ACL as far as I experienced.

I also experienced that readers fields affect the ability to use an XPage to open a document by default.

I hope my answer is not too confusing ;-)

0
votes

I think the question is valid (to my current knowledge): If I want to design a workflow application but the current approver should not edit the full document I want to give him only access to parts (ie. a comment field and the approval button).

The question above relateds somehow to access controlled sections in old LN development. I so far also didn't find a good solution

0
votes

What you describe is a very common workflow scenario. There are several ways how you can implement that efficiently. Here is what I would do:

  • Have one (or more) custom controls that render the "payload" (the fields the requester fills in)
  • assemble them into one bigger control that is used to render the form
  • compute the mode to read/edit depending on who is opening the form and the mode (new, pending approval, approved, rejected etc.)
  • Optional: when submitted remove submitter from the author field
  • Have one "Approval Control" that show only when the current user is the (current) approver and status is "pending approval" That control has fields that are NOT bound to the document, but a scope variable
  • The approval button triggers SSJS that takes the scope variable values and updates the document (and triggers notifications, access change etc)

The approval component can be used for any approval form. You then can contemplate not to give the approver write access since you could handle that in code.