I need to programmatically find the path to the Room & Resources database, preferably accessible thru a HTTP request. Just placing a HTTP request and getting the path/filename returned somewhere in the response would be sufficient.
And/Or are there any assumptions that can be made in regards to the file/path-name of Rooms & Resources? So, at the very least, I can provide an educated guest to the end user.
Since the room & resource database may be clustered - a way to determine this would also be appreciated and preferably thru a HTTP request.
NO changes can be made to the environment to get this information - this means no programming in the users mailfile or any other design changes.
The question is in regard to IBM Domino 8.5+
/J
To get the information "somewhere in the response" is quite easy: Just use the hidden ($Users)- View to get that information:
http://servername/names.nsf/($Users)/Resource%2FOrga?OpenDocument
As you see, you have to encode the slashes in the resource name with %2F
The respons will be a website, that contains Server AND FilePath in two fields:
<input name="MailServer" type="hidden" value="YourServer/Org">
<input name="MailFile" type="hidden" value="pathtoresourcedatabase.nsf">
In that document there is only the "main" server. Information about clustering would have to be obtained by looking up the MailServer- Value (in a canonicalized form) in the view ($Servers):
http://servername/names.nsf/($Servers)/CN=YourServer%2FO=Org?OpenDocument
In the result there will be a field called ClusterName:
<input name="ClusterName" type="hidden" value="YourClusterName">
And with that information you could lookup the clustermembers using the view called ($Clusters), but there you have to parse the information, as this is not a single document... Just check the output of:
http://servername/names.nsf/($Clusters)?OpenView
If you need to get a "better parseable" result, then use ReadViewEntries instead of OpenView, then the result is XML (or json, if you add another parameter &outputformat=JSON)
Theres a view for rooms and resources in the names.nsf. You can probably query this view with an http request and parse the result, to find out the path to the resource databases.
BTW. it is possible to have multiple resource database.
Related
I am trying to use the GET envelopes API, and specifying a folder. My folder_ids parameter is below:
&folder_ids='Sent Items'
I have also tried 'completed' and 'sent_items', but I get the same error:
"message": "The request contained at least one invalid parameter. folder_ids must be a comma separated list of either valid folder Guids or 'awaiting_my_signature', 'completed', 'draft', 'drafts', 'expiring_soon', 'inbox', 'out_for_signature', 'recyclebin', 'sentitems' or 'waiting_for_others'."
Does anybody know what I am doing wrong for my filter?
When specifying a folderId it needs to be in a GUID format, unfortunately you cannot request envelopes based on the name of the folder.
The good news is that if you're looking for sent items there's another parameter you can use that is a bit more universal:
envelopes?from_date=8-1-2021&to_date=9-3-2021&folder_types=sentitems
I also tested folder_ids and it looks like the value for the sentitems folder os 'sentitems' there as well. You may want to consider opening a case with us to go over the process in realtime at https://support.docusign.com.
Regards,
Matt
I'm reading tutorials on ASP .NET Core and Razor Pages.
One of them, when dealing with the BindProperty attribute, has remarks I find hardly understandable:
Razor Pages, by default, bind properties only with non-GET verbs.
Binding to properties can reduce the amount of code you have to write.
Binding reduces code by using the same property to render form fields
(<input asp-for="Customer.Name" />) and accept the input.
For security reasons, you must opt in to binding GET request data to
page model properties. Verify user input before mapping it to
properties. Opting in to this behavior is useful when addressing
scenarios which rely on query string or route values.
To bind a property on GET requests, set the [BindProperty] attribute's
SupportsGet property to true: [BindProperty(SupportsGet = true)]
(emphasis mine) Source: Introduction to Razor Pages in ASP.NET Core ยง Writing a basic form
I do not understand. Why do extra security measures need to be taken when dealing specifically with GET requests?
As far as I can tell, GET requests are supposed to be safer, not less safe than POST requests, because GET only retrieves data, while POST sends data to the server. So, more often than not, POST requests need extra security measures GET reqs don't need.
And yet now I'm reading that it's fine to do X with POST but careful, don't do this with GET recklessly, you must opt-in and be warned, take precautions!
Why are these warnings necessary? What kind of security vulnerabilities can be introduced by binding GET request data to page model properties? And why are these vulnerabilites not applicable to POST requests?
Binding is two-way model, meaning it binds a given element for both rendering ("show this value here") and submitting back ("save this value there"). For example, you'd use binding to populate an input field with a value that a user could then update and POST back. Binding handles dealing with the value automatically.
If you simply want to display a value, you don't need to use binding at all. Simply make it a public property of your model and reference it directly ({Model.PropertyName}).
There are a bunch of reasons for avoiding [BindProperty(SupportsGet = true)] but I think HTTP's RFC 7231, Section 9.4 covers it well:
URIs are intended to be shared, not secured, even when they identify secure resources. URIs are often shown on displays, added to templates when a page is printed, and stored in a variety of unprotected bookmark lists. It is therefore unwise to include information within a URI that is sensitive, personally identifiable, or a risk to disclose.
Authors of services ought to avoid GET-based forms for the submission of sensitive data because that data will be placed in the request-target. Many existing servers, proxies, and user agents log or display the request-target in places where it might be visible to third parties. Such services ought to use POST-based form submission instead.
Since the Referer header field tells a target site about the context that resulted in a request, it has the potential to reveal information about the user's immediate browsing history and any personal information that might be found in the referring resource's URI.
for hidden field tampering protection: Id, RowVersion, I use a version of Adam Tuliper AntiModelInjection.
I'm currently investigating a way to prevent tampering of valid options found in select lists/drop downs. Consider a multitenant shared database solution where fk isn't safe enough and options are dynamic filtered in cascading dropdowns.
In the old days of ASP.NET webforms, there was viewstate that added tampering prevention for free. How is select list tampering prevention accomplished in ajax era? Is there a general solution by comparing hashes rather than re-fetching option values from database and comparing manually?
Is ViewState relevant in ASP.NET MVC?
If you can, the single solution here is to filter by the current user ids permission to that data, and then those permissions are validated once again on the save.
If this isn't possible (and there are multiple ways server side to accomplish this via things like a CustomerId fk in your records, to adding to a temporary security cache on the server side, etc) , then a client side value can provide an additional option.
If a client side option is provided like was done with Web Forms, then consider encrypting based on their
a.) User id plus another key
b.) SessionId (session must be established ahead of time though or session ids can change per request until session is established by a value stored in the session object.
c.) Some other distinct value
HTTPS is extremely important here so these values aren't sniffed. In addition ideally you want to make them unique per page. That could be the second key in A above. Why? We don't want an attacker to figure out a way to create new records elsewhere in your web app and be able to figure out what the hashes or encrypted values are for 1,2,3,4,5,6,etc and create essentially a rainbow table of values to fake.
Leblanc, in my experience, client side validation has been used mostly for user convenience. Not having to POST, to only then find out that something is wrong.
Final validation needs to occurs in the server side, away from the ability to manipulate HTML. Common users will not go on to temper with select lists and drop downs. This is done by people trying to break your page or get illegal access to data. I guess my point is final security needs to exist in the server, instead of the client side.
I think a global solution could be created given a few assumptions. Before i build anything I'll like to propose an open solution to see if anyone can find flaws or potential problems.
Given all dropdowns retrieve their data remotely. - in an ajax era and with cascading boxes this is now more common. (We are using kendo dropdowns.)
public SelectList GetLocations(int dependantarg);
The SelectList will be returned back as json - but not before having newtonsoft serialization converter automatically inject: (done at global level)
EncryptedAndSigned property to the json. This property will contain a Serialized version of the full SelectList containing all valid values that is also encrypted.
EncryptedName property to the json. This property will have the controller actionname - For this example the EncryptedName value would be "GetLocations"
When the http post is made EncryptedName : EncryptedAndSigned must be sent in the post also. For this JSON POST example it would be:
{
Location_Id: 4,
GetLocations: 'EncryptedAndSigned value'
}
On the server side:
[ValidateOptionInjection("GetLocations","Location_Id")
public ActionResult Update(Case case)
{
//access case.Location_Id safety knowing that this was a valid option available to the user.
}
I work in a development/support team which has a shared Lotus Notes mailbox. We need to be able to associate an issue ID with each email. We started by adding this ID to the subject line (eg. "Something doesn't work [ID12345]"). For performance reasons, our IT dept don't allow indexing of shared mailboxes, so it takes a long time to search for a particular ID.
I decided to add a new ID field, which can be shown as a sortable column in views and folders. I put this field to the visible header (just below 'Subject') in the ($All) view and the ($Inbox) folder, and copied the ($Inbox) design to all the other folders in the database. That much was easy.
My problem is that when we reply or forward, this custom field is not carried over to the new memo, so we have to manually add it again before sending. And of course when the user responds, the field is again missing and must be manually added. I have searched the docs and the internet and haven't found any information on this. Either I have to declare this field as something which persists across replies and forwards, or I have to add a line somewhere which explicitly copies the field contents to the new memo.
fsw,
We do exactly this with our complaint system however our database is indexed although this should not be an issue to you. We created a view that is sorted by ID by extracting just the ID from the subject line, order it by ID and then by date descending. Base it on the $ALL folder view so you get both incoming and sent emails.
We then altered the memo form to include an embedded view single category of the new view that sits above the body which shows all other documents linked to the ticket.
This should avoid having to delve to far into the very complex mail template any further. One thing is to make sure you have a copy of the changes you made and a bit of doco re deploying as you can guarantee that one day your template will be completely overwritten in an upgrade and all your good work will be gone.
As the additional field would have to incorporated into all Memo forms in mail templates in your corporation and as these fields do not easily travel via SMTP, you should stick with the ID in the subject.
What you could do is to parse the subject (#Mid, #Right, ...) in the column formula in the view and only display the ID there (like you did with the additional field).
The other option I envision if having a field is required is to have an agent that processes the incoming message(reply) to have it parse out the issue ID from the subject and write it to the field. You could also do that with queryopen or postopen if running an agent is not possible
I am working on a new web app in lotus/domino. I am newer to lotus/domino programming, so forgive me for not knowing something simple.
What I am trying to do is display a table of information, with one of the columns containing a link. The link is formatted like [http://server/app.nsf/form?openform&ideaNum=1&var2=foo2]
How can I retrieve the information from the url, to get information from a view or a document?
So far I have tried to access the query string in the webQueryOpen event, but lotus runs the agent before the DOM writes to the browser, the query_string isn't available.
I am not sure how else to get information from one form to another in lotus.
Thanks for the help.
-Kris
If you're passing multiple params in the query_string, you can get Domino to do a bit more of the work for you. There's an Function command - UrlQueryString - that can format the params into a list, delimiting at the "&".
E.g. server/app.nsf/form?openform&ideaNum=1&var2=foo2
becomes a list:
openform
ideaNum=1
var2=foo2
To use it, on the destination form create a multi-value text field called something like "QryStringList".
Set it to be computed when composed, and set it's value to #UrlQueryString.
In your WebQueryOpen agent, you can access the params as doc.QryStringList(0), docQryStringList(1) and so on, if you're using Lotusscript.
I'm fairly sure I put this together using info from the IBM/ldd forum, but the exact source is lost in the mists of time and memory, so apologies if I've copied someone's post.
Just as a follow up, I found that you are able to specify an on form variable named the same as QUERY_STRING. The variable is actually a reserved term for Lotus, so Lotus pre-fetches the variable before running the information out the browser.
Due to the pre-fetching, you are able to access the url information during the webQueryOpen event.
I hope this helps someone else looking for the same type of functionality.
-Kris