How to prevent databaseName to change datasource

Sven HasselBach blogged (Link) about that you could change the datasource of any XPage using a url parameter called databaseName. Doesn’t ACL apply you might ask. Yes it does so that isn’t a problem.
OK, isn’t there a setting to ignore url parameters, yes there are but If you use this you will get problems with the built in controls. They use url parameters.

Is this a problem then ACL apply shouldn’t that be enought?
No because there might be some databases where the user should be able to create documents in.
and this could create documents of a certain type in a database were they shouldn’t be.  

To prevent the use of the databaseName parameter I have created this code that you can place in the onClientLoad event in a customcontrol or directly in an XPage

 var url=context.getUrl()
  1. Another idea is to prevent all databases at once by creating a rule in the Global Web Settings for the Domino domain.

    Something like this:

    *.nsf/*databaseName=*. –> Redirect to an error Page

    (the rule is not tested, just typed directly from my brain)

Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.