API
@-Formulas
JavaScript
LotusScript
Reg Exp
Web Design
Notes Client
XPages
 
Preventing Notes Access To An Application
We were developing a new web site for a customer when we had an odd request - they wanted no Notes access whatsoever to the application. They wanted to force their users to access the application through a web browser. Normally, at least some kind of administrative access would happen through Notes, but that wasn't even wanted in this case. How did we satisfy this requirement?

The first thing we'll point out is that experienced Notes users will find a way around anything, so it's very difficult to make the application 100% inaccessible to Notes. But these tips make it very difficult to access the application through Notes, and will stop 95% or more of the users (novice to intermediate experience levels) from accessing the application through Notes.

The first thing we did was to make sure that users were restricted in the ACL as much as possible. This means that users could not create any views or agents which would allow them to access the data in ways that we did not intend.

The second thing we did was to hide all the design elements that were not necessary from the Notes client. Some design elements still needed to be shown to Notes (for things like scheduled agents and certain look-ups), but all forms and most other design elements were hidden from Notes. This setting is controlled in the design element properties when looking at the list of design elements.

Since not every view could be hidden from Notes, that means that people could use the View | Go To... menu to open up a view in the Notes client. But there is a way to control the behavior of the View | Go To... menu option. You can see this trick in action in the databases that come with Notes like your local address book. If you use the menu to open the database to a hidden view, the database will still open in the standard frameset. This is the trick we used in this application.

To duplicate this trick, create a frameset. The left frame is a page design element (more on that later). The right frame should have a frame name of NotesView. That's the key - the frame name. The contents of the frame should be the default view of your database. Save the frameset and set this frameset to open when the database is opened in the Notes client. If a user opens up the database through the menu, Notes will recognize that frame name (it must be spelled that way without any spaces) and open up that frameset with the view the user wanted in the right frame.

But the view is still open, so how does that prevent Notes access? We said that the right frame should be named that way. We didn't specify anything about the size of the frame. So, make the width of the right frame 1 pixel and set it to not allow resizing. Then set the width of the left frame to be relative and also not allow resizing. The Notes client will open up that view in the right frame, but the user won't be able to see it and won't be able to resize the frameset. If the user switches to another view, that view will open in the right frame (make sure your left frame has a default target value of NotesView).

With that setup, the user won't be able to open up the database by using the View | Go To... menu option - no matter what they pick, the view will open in that 1 pixel wide right frame. The page in the left frame should include instructions saying that the application cannot be accessed with the Notes client.

Next, we changed the database PostOpen event. This can be found under Database Resources, then Database Script. We changed this event to run formula language code and checked the server and file name of the current database. If it wasn't correct, the database would close:

@If(@Subset(@DbName; 1) = "CN=Production/O=MyCompany" & @Subset(@DbName; -1) = "subdir\\mypath.nsf"; 0; @Do(@Prompt([OK]; "Invalid"; "You are opening an invalid copy of this application."); @Command([FileCloseWindow])))

So if the user made a copy of this database, they still wouldn't be able to get at the data through Notes.

The last thing we did was hide the design. When you replace the design of a database, you can choose to hide the design of the database getting replaced. With the design hidden, users are not able to manipulate the launch settings or that PostOpen event to get around the prevention measures we placed into the application.

All those items combined to make an application that cannot be accessed with a Notes client. Like I said earlier, the very sophisticated Notes developer or power user will be able to get around those measures. We know of ways that someone could get around all this, but we're not going to post them here - the users of this application read this web site and we don't want to give them any ideas. So, if you're posting a response to this entry and include any "here's how you do it" information, note that we will remove those postings. This tip is to make it difficult to access the application through Notes.