Contact TLCC

Using sessionAsSigner to allow Scripts Greater Access (XPages) Click here to see all the Developer/Admin Tips

Date tip published:08/31/2010
Description:Domino 8.5.2 introduces a new global object in Server-side JavaScript to allow code in an XPage to run with the permissions of the XPage signer. In previous Domino releases all Server-side JavaScript ran with the permissions and rights of the actual user.

To learn more about creating XPages and using Server-side JavaScript use the following link:

Developing XPages using Domino Designer 8.5

Using sessionAsSigner to allow Scripts Greater Access (XPages)

Server-side JavaScript in XPages will run with the permissions of the current user. The user has to have the appropriate rights in the application accessed by any code. This is a departure from the WebQueryOpen and WebQuerySave agents used in traditional Domino Applications. Those agents ran with the rights of the agent signer. This allowed the developer to assign limited rights in the ACL (Access Control List) for the web user and then the agent could be used to lookup information from other databases.

There is a new global object in Server-side JavaScript for Domino 8.5.2 that allows developers to write scripts that run with the permission of the signer of the XPage instead of the user accessing the XPage. This is called sessionAsSigner. There is one caveat to using this. You can not use the getCurrentDatabase() method with sessionAsSigner like you could with the session object to get the current database. Instead you must use getDatabase() to get a handle to a database, even if it is the current database you want. (Note that the documentation incorrectly shows getCurrentDatabase() to be available.)

The code below on line one shows how to access the current database using sessionAsSigner. This uses the session global variable to access the current server name and file path. To access another database change the second parameter to the correct file path and file name. The remainder of the code creates a new document in the database, adds a field value to the document and saves it. If the session global variable was used instead of sessionAsSigner then the user would have to have at least Depositor or Author access in this database. Using sessionAsSigner, the user can be set to reader access in the ACL.

1.var curDB = sessionAsSigner.getDatabase(session.getServerName(),session.getCurrentDatabase().getFilePath());
2.var doc = curDB.createDocument();
3.doc.appendItemValue("testfield", "Some Data");;