I have a xPage application which shows list of emails of the currently logged user. Using some button user can remove selected email from inbox and put it into another folder.
UI works fine except the fact that document.removeFromFolder and document.putInFolder in my JAVA backend class throws an error "Notes error: You are not authorized to perform that operation ($Inbox)" . There is the same error for removing or putting document from/into inbox/another folder. But ACL is correct, user can create emails, delete them ...
Has anyone some hint whats wrong here?
Here is the error message I'm getting(just a small part):
JavaScriptMethodBinding.invoke(JavaScriptMethodBinding.java:111)
...
32 more
Caused by: NotesException: Notes error: You are not
authorized to perform t hat operation
(($Inbox))
at
lotus.domino.local.Document.removeFromFolder(Unknown Source)
There are a number of checkpoints to watch out for:
If you use "session as signer that signer needs to have access to the mail file
If application and NSF are on different servers you need a setting in the server document needs to include a trust relation for these servers. That's the server document - Security - left column, bottom: Trusted servers.
I presume the servers have ACL access
Hope that helps
Related
I have this weird problem when I try to use a simple default flow template to save email attachments to the company main SharePoint site: company.sharepoint.com (not subsite).
So I get started, by taking all the defaults of this flow, however, once i get to the point of providing the site address and document library path I get the error highlighted in red.
Where I get confused is that when I create a subsite like company.sharepoint.com/sites/testsite I enter the subsite address and the folder path automatically populates the folder structure for me to pick where I want to save such attachment.
I have given full owner permission to this test account with same results. So permission is not the problem.
My question is, could it be I'm using the wrong flow to save to a main SharePoint site? or this is something not allowed?
You could check the connector and recreate a new connection to SharePoint.
In many cases, an error code of 403 appears in a flow fail because of an authentication error. If you have this type of error, you can usually fix an authentication error by updating the connection, please make sure you have update the connection.
You could refer to this article.
Just in case anyone has a similar problem, the account to which you are creating a power automate flow must be a site collector to the root SharePoint site.
I am trying to create a setup where a user can
signup & sign in directly from the combined signup&Signin page
Signup&signin from the invitation link.
Point one is working perfectly fine using the following files
BaseFile
ExtensionFile
RPFile
For point 2 I have created
SignupinviteRPFile
Now, when I click on the invitation URL which is in the following format
https://mytenant.b2clogin.com/mytenant.onmicrosoft.com/B2C_1A_signup_invitation/oauth2/v2.0/authorize?client_id={clientID}&nonce=ca00379642b94aa693a80b66783aa010&redirect_uri=https%3A%2F%2Fmytenant-dev.azurewebsites.net%2Fsignup%2Fuser-invite&scope=openid&response_type=id_token&id_token_hint={SignedJWTToken}
I do get the signup page with readonly emailID. But once I fill all the information and click "Create" it gives me
Following issue:
Sorry, but we're having trouble signing you in.
We track these errors automatically, but if the problem persists feel free to contact us. In the meantime, please try again.
Correlation ID: 3a9f35e6-51e1-40b7-9ee9-d9c8081ff8d6
Timestamp: 2021-02-03 11:07:20Z
AADB2C: An exception has occurred.
Observations:
The account gets created in the local AD and I can see the user's entry
Following are the three calls from the network logger
/SelfAsserted?tx=StateProperties=eyJUSUQiOiIzYTlmMzVlNi01MWUxLTQwYjctOWVlOS1kOWM4MDgxZmY4ZDYifQ&p=B2C_1A_signup_invitation
2./confirmed?csrf_token=bThiL2hJNXZ4ZFBwSXZ3ZzRLd1lVUExQV2V1T3EzVkNBYUloaEpqWk5lYTBXczAvUW9oSjJMVXBEWWhrenZ1Ymc2SkJNL3N5N0UxNzZYNHBDVDdsaWc9PTsyMDIxLTAyLTAzVDExOjA2OjQ2LjU5NTgzMzVaO2tuVzlHdzdMTDZ1QzMyT1JmRGNZbGc9PTt7IlRhcmdldEVudGl0eSI6IkxvY2FsQWNjb3VudFNpZ25VcFdpdGhSZWFkT25seUVtYWlsIiwiT3JjaGVzdHJhdGlvblN0ZXAiOjN9&tx=StateProperties=eyJUSUQiOiIzYTlmMzVlNi01MWUxLTQwYjctOWVlOS1kOWM4MDgxZmY4ZDYifQ&p=B2C_1A_signup_invitation&diags=%7B%22pageViewId%22%3A%22e25ebe04-1601-460d-b3a8-1d958c8155b8%22%2C%22pageId%22%3A%22SelfAsserted%22%2C%22trace%22%3A%5B%7B%22ac%22%3A%22T005%22%2C%22acST%22%3A1612350407%2C%22acD%22%3A3%7D%2C%7B%22ac%22%3A%22T021%20-%20URL%3Ahttps%3A%2F%2Fmytenant.b2clogin.com%2Fstatic%2Ftenant%2Ftemplates%2FAzureBlue%2FselfAsserted.cshtml%3Fslice%3D001-000%26dc%3DPNQ%22%2C%22acST%22%3A1612350407%2C%22acD%22%3A50%7D%2C%7B%22ac%22%3A%22T019%22%2C%22acST%22%3A1612350407%2C%22acD%22%3A8%7D%2C%7B%22ac%22%3A%22T004%22%2C%22acST%22%3A1612350407%2C%22acD%22%3A2%7D%2C%7B%22ac%22%3A%22T003%22%2C%22acST%22%3A1612350407%2C%22acD%22%3A2%7D%2C%7B%22ac%22%3A%22T035%22%2C%22acST%22%3A1612350410%2C%22acD%22%3A0%7D%2C%7B%22ac%22%3A%22T030Online%22%2C%22acST%22%3A1612350410%2C%22acD%22%3A0%7D%2C%7B%22ac%22%3A%22T017T010%22%2C%22acST%22%3A1612350438%2C%22acD%22%3A1075%7D%2C%7B%22ac%22%3A%22T002%22%2C%22acST%22%3A1612350440%2C%22acD%22%3A0%7D%2C%7B%22ac%22%3A%22T017T010%22%2C%22acST%22%3A1612350438%2C%22acD%22%3A1077%7D%5D%7D
3.client/perftrace?tx=3a9f35e6-51e1-40b7-9ee9-d9c8081ff8d6&p=null
3. Following URL uses GET Method
https://mytenant.b2clogin.com/mytenant.onmicrosoft.com/B2C_1A_signup_invitation/api/SelfAsserted/confirmed?csrf_token=bThiL2hJNXZ4ZFBwSXZ3ZzRLd1lVUExQV2V1T3EzVkNBYUloaEpqWk5lYTBXczAvUW9oSjJMVXBEWWhrenZ1Ymc2SkJNL3N5N0UxNzZYNHBDVDdsaWc9PTsyMDIxLTAyLTAzVDExOjA2OjQ2LjU5NTgzMzVaO2tuVzlHdzdMTDZ1QzMyT1JmRGNZbGc9PTt7IlRhcmdldEVudGl0eSI6IkxvY2FsQWNjb3VudFNpZ25VcFdpdGhSZWFkT25seUVtYWlsIiwiT3JjaGVzdHJhdGlvblN0ZXAiOjN9&tx=StateProperties=eyJUSUQiOiIzYTlmMzVlNi01MWUxLTQwYjctOWVlOS1kOWM4MDgxZmY4ZDYifQ&p=B2C_1A_signup_invitation&diags=%7B%22pageViewId%22%3A%22e25ebe04-1601-460d-b3a8-1d958c8155b8%22%2C%22pageId%22%3A%22SelfAsserted%22%2C%22trace%22%3A%5B%7B%22ac%22%3A%22T005%22%2C%22acST%22%3A1612350407%2C%22acD%22%3A3%7D%2C%7B%22ac%22%3A%22T021%20-%20URL%3Ahttps%3A%2F%2Fmytenant.b2clogin.com%2Fstatic%2Ftenant%2Ftemplates%2FAzureBlue%2FselfAsserted.cshtml%3Fslice%3D001-000%26dc%3DPNQ%22%2C%22acST%22%3A1612350407%2C%22acD%22%3A50%7D%2C%7B%22ac%22%3A%22T019%22%2C%22acST%22%3A1612350407%2C%22acD%22%3A8%7D%2C%7B%22ac%22%3A%22T004%22%2C%22acST%22%3A1612350407%2C%22acD%22%3A2%7D%2C%7B%22ac%22%3A%22T003%22%2C%22acST%22%3A1612350407%2C%22acD%22%3A2%7D%2C%7B%22ac%22%3A%22T035%22%2C%22acST%22%3A1612350410%2C%22acD%22%3A0%7D%2C%7B%22ac%22%3A%22T030Online%22%2C%22acST%22%3A1612350410%2C%22acD%22%3A0%7D%2C%7B%22ac%22%3A%22T017T010%22%2C%22acST%22%3A1612350438%2C%22acD%22%3A1075%7D%2C%7B%22ac%22%3A%22T002%22%2C%22acST%22%3A1612350440%2C%22acD%22%3A0%7D%2C%7B%22ac%22%3A%22T017T010%22%2C%22acST%22%3A1612350438%2C%22acD%22%3A1077%7D%5D%7D
Gives following message:
We can't sign you in
Your browser is currently set to block JavaScript. You need to allow JavaScript to use this service.
To learn how to allow JavaScript or to find out whether your browser supports JavaScript, check the online help in your web browser.
And the last call uses POST method
https://mytenant.b2clogin.com/mytenant.onmicrosoft.com/B2C_1A_signup_invitation/client/perftrace?tx=3a9f35e6-51e1-40b7-9ee9-d9c8081ff8d6&p=null
gives 404 error message
Basically, after the signup from the invitation url I am not able to signin to my application. I am not sure if there is any conflict between the two RP files or If I am missing anything.
The problem is here
https://github.com/rbagree/B2CSignupSigninInvite/blob/main/signup_invitation.xml#L63
The log shows it cannot find this key. Just remove this entire technical profile as it should already exist in your base file.
I'm currently implementing the OpenNTF Multiple File Uploader by Mark Leusink.
This very nice custom control uses an xAgent to embed the selected file attachment into the target Notes document. Everything was working fine until I added Authors and Readers fields to the Notes documents. Now I'm getting a security error (402) when uploading the file.
My thought is the Upload xAgent can't edit the target document to attach the file. If I remove the security fields, everything works again.
My question is, do xAgents run with the same security as the current user? If not, can I set a "run as" user for the xAgent like I can for a Lotus Script agent?
I'd suggest that you look at the xAgent's code and rewrite it to use sessionAsSigner to access the database/document to upload the file. This will cause it to run as the signer of the application and bypass the security issues that your running into.
Both Tom's and Declan's answers are correct, but this doesn't count for the file uploader.
It uses a Flash component to do the actual uploading (called SWFUpload). Since browser cookies aren't shared with Flash, it can't send along the user's session cookie with the file and therefore to the Domino server the user performing the upload is nog logged in (aka Anonymous). That's why the uploader requires anonymous users to be allowed to read/write public documents in the ACL and the XPage/ XAgent handling the uploaded files (aUpload.xsp) is set to allow "public access users". It uses the sessionAsSigner object to access the database's content
Normally, the above settings would allow everyone to anonymously upload files. That's why I implemented a custom authentication solution based on an idea by Mark Barton: before every file is uploaded, a request is made to an XPage to retrieve a unique key. That XPage (aGetAuth.xsp) does run under the user's credentials and stores the key in a document in the database. This key is send along with the uploaded file and compared with the stored key. The upload is only allowed if the keys match.
First thing I'd check in your case if the code in the aUpload.xsp XAgent can read and write the target document using the sessionAsSigner call.
Mark, Declan, and Tim, thanks for jumping in.
I modified the xAgent **aGetAuth.xsp** to use sessionAsSigner to get the current database. At first I got the error "sessionAsSigner not found".
Google showed a quick answer was to re-sign the template before testing. After re-signing the template, twice, and preforming a "clean" everything works brilliantly.
SharePoint web site = http://myexample:3500
SharePoint tester (admin on domain, admin on SharePoint site collection) = IAmKyle
Alternate Access Mapping: I left it at the default which is http://myexample:3500 maps to itself, and the zone is "default".
My code was deployed as a farm solution and my .dll is in the GAC. I activated a feature on my site collection (url is above). What the code does is, when the user updates a SharePoint item, my code executes a LINQ query finding "related" items. Then the related items are updated. Here are the errors I get:
On Windows Event Logs:
Error loading and running event receiver [my receiver assembly]. Object reference not set to instance of an object.
On SharePoint ULS event logs:
Same error as I see in Windows Event logs. Also, I was getting errors about "alternate access mapping" not being configured for http://myexample:3500 but I'm not getting them anymore. Don't know why, I haven't changed anything.
On IIS logs
Getting some 401 responses for pages that I should be able to access. But, it only shows the tail end of the page in some cases e.g. "/mysite/mypage" so I'm unsure what the full URL is.
These errors are very confusing, my code 100% works on my test system. What network or sharepoint configurations should I be looking for? I'm assuming my code itself works fine considering that it does work on my test environment. Of course, I have more permissions on test since my username on test is the user who created the farm.
Thanks.
Do you get these errors when trying to activate the feature or when actually making a change to a list item?
Also, have you tried attaching the VS debugger to the process and having a look at what is going on?
It is complex, I'll trying to describe it here.
If the user and his group have no access rights to anything on the SP site, the user will get a proper "Error:Access Denied" SharePoint page upon logon.
If the user has some access to something through his group membership, then
a. If the user is listed in the All People list, then the user can logon and use the site with no problem.
b. If the user is not listed in the All People list, then the user will get a IIS 403 Error page. Back on the server, there will be an event of "A process serving application pool '[IIS app pool name]' suffered a fatal communication error with the World Wide Web Publishing Service", which indicates a crash in the IIS app pool. If the user is keen and keeps trying, he can crash the app pool frequently and eventually cause the app pool to stop and the application is down!!!
We are using forms authentication and Asp.net membership provider and role provider. It appears that when 2b is happening, SP is repeatedly (should be only once) calling membership provider GetUser method (until the fatal communication error is coming up I guess). I believe it is for the initila user profile import. When 2a is happening, the GetUser method is not called.
We can manually do things like adding the user to the Visitors group and then taking the user out of the Visitors group, which will add the user to the All People list so he will be able to log on. During the manual process, the membership provider GetUesr is also called but just once and works fine.
This problem only just started occuring recently and only in one environment (the PRODUCTION!). It was all fine and the other environments UAT and training environment both don't have this issue. We've compared the environments and checked all the obvious and couldn't find any differences that could cause this. The production has got around 110 users, which is more than the other environments but still not a lot.
Anyone out there can help?
Based on the comment below it looks like the error is occuring in the custom implementation of GetUser, after the call to the web service. It is also only occuring in the environment that has the most data.
The next thing to check therefore is the code between the call to the web service and the return of getuser. Do you have any arrays where the max length is set? Do you make any assumptions about which data is contained i a spesific item in an array? How do you check/log that the web service is returning a valid result?
Hope this helps
Shiraz
Cause of the problem found. The advanced setting on All People list has got Item Level Edit permission set to none.