Skip to main content
    Country/region select      Terms of use
     Home      Products      Services & solutions      Support & downloads      My account     

developerWorks  >  Lotus  >  Forums & community  >  Best Practice Makes Perfect

Best Practice Makes Perfect

A collaboration with Domino developers about how to do it and how to get it right in Domino

The question before us today: should the DXL Exporter give an error and refuse to export design elements if (a) the user has less than Designer access to the application, and/or (b) the design of the application is hidden?

I'm going to argue that the answer is "no" in both cases. At the moment, there are restrictions -- you can't export any design elements if the database design is hidden, and (last I checked) you can't export an entire design at once if you don't have Designer access, but you can export individual design notes.

Some of you might regard these as security features, e.g. if you're using hide design to prevent users from seeing information in "hidden" fields, you don't want them to export the form design and see what the field names are. Others, including myself, regard these limits as a nuisance that does far more harm by preventing useful applications, than any good that may come from making it easier to hide information.

This is an example of "security through obscurity;" it only protects your information insofar as the people trying to get to it don't know how the technique for bypassing the restriction. Security through obscurity is still security; for instance, I know that it's not all that hard to open any combination padlock if you know the trick, but I'm not overly concerned that someone will use that knowledge to break into my gym locker (though I always give the dial a couple of turns to make it harder, should anyone try). But security of any sort is only valuable if there's not an obvious workaround.

There are several APIs that let users access information about Notes databases and design elements. None of these APIs are restricted by lack of Designer access or by design hiding (except that you can't get formulas that are hidden without going to the C/C++ APIs).

For instance, here's a very simple way to see the values of hidden fields in a database with hidden design. Any user can do this even without the Designer client, and without using DXL.

There are also various tools, such as NotesMan and the Teamstudio suite, that let users with zero application development skill get all sorts of detailed information about nsf files. The NotesPeek program, which is publically available, also will give you basically all the information you would need to know about an application. DXL adds very little to that.

Even without such tools, a user who can program in LotusScript or Java can use those APIs to get basic information about the names of design elements and their contents -- a list of all the fields on a form, for instance. The DXL restrictions I'm discussing seem to be aimed at users who can program, who have a Designer client, and are looking for information that they couldn't get from these other APIs or from publicly available tools. To me, this sounds like an empty set.

But let's just suppose for a moment that there are such users. We have to also assume that they aren't bright enough to use the NotesNoteCollection class to get all the design elements in the database and copy them to a local database without a hidden design, in which they are Manager. Then they can use DXL to their hearts' content. This is really pretty obvious, and takes maybe 10 lines of code.

The Hide Design feature, in particular, isn't really appropriate to use for security. Read/write access to documents and design elements, database ACL lists, and the like -- those are security. There are too many ways for an even somewhat clever person to get access to any information that they technically do have access to, for that to be effective as a security measure. Hide design's real purpose is to protect proprietary source code.

So in brief, these DXL limitations do very, very little to protect information, but they do make it more difficult to write efficient applications that use DXL to do useful tasks, such as scanning databases on a server for fields without field help or images without alt text.

Please comment. If you support leaving these restrictions in place (or adding to them!), could you give examples of a way in which they increase security or some other benefit?

Andre Guirard | 1 July 2009 01:32:56 PM ET | Caribou Coffee, Plymouth, MN, USA | Comments (15)

Search this blog 


    About IBM Privacy Contact