logo

A NotesSession JavaScript Object

Had some fun this weekend messing about with Ext and making a start on DExt — my Domino framework that builds upon it.

I know I'm banging on about Ext lately, but, even if you couldn't care less, this is worth the read as it's useful outside the Ext framework as well.

Take another look at the DExt app . Notice there are now two drop-down menus on the top left. One called Create the other called Options. Create is disabled and greyed-out. The Options menu has a login item, which displays a login dialog box. Login as "Dext" (a real registered Domino user) and you'll see the create menu enables and the Login menu item becomes Logout.

How does it do this? Well, we could easily do it server side in a normal HTML-based app, but the UI in Ext is built client-side at "run time". Because of this our JavaScript needs to know all about the user's session.

To create an equivalent of a NotesSession in JavaScript I created a Form and called it dext.js. This form contains nothing but JavaScript and creates the DEXT object which contains a load of properties of the current session. It's added to the page using a ?ReadForm request as its content-type won't allow it be edited.

<script src="dext/dext.js?ReadForm" type="text/javascript"></script>

You can see the contents here (switch to Firefox first! IE won't open it). With this code available we can now do lots of stuff in our code, such as:

Ext.MessageBox.show({
        title: 'About You',
        msg: "Your name is "+DEXT.Session.User.Name["Common"]

or

toolbar.add({
        cls: 'x-btn-text-icon bmenu',
        text:'Create',
        disabled: !DEXT.Session.User.Access.CanCreateDocuments

Earlier I made out that you had to be logged in to see the create menu. As you can see from the code above this isn't strictly true. If Anonymous had create document rights in the ACL the menu would be enabled. Although if you wanted the former to be true you could change it to:

toolbar.add({
        cls: 'x-btn-text-icon bmenu',
        text:'Create',
        disabled: !DEXT.Session.User.Authenticated

The DEXT.Session class also contains a couple of methods: login and logout. The login method builds the login from scratch. Part of the code to this is:

{tag:'input', type:'hidden', name:'redirectto', value:DEXT.Database.Path}

Notice we've passed the database's path to the RedirectTo field to make sure this is where we come back to.

There's more you can do with it but I think this proves the point.

As I mentioned earlier you don't need to be using Ext to use a "Domino" JavaScript object that contains invaluable information about the user, current session and database. You could add a similar form to any database and make use of it.

Comments

  1. Awesome! I covered how to create a NotesSession and a NotesDocument obect in my @Formulas meet Ajax session at this year's Lotusphere. Your approach is slightly different than mine though but they accomplish the same thing. I'll blog about it later today to show everyone my approach.

    I know most people are glued to what we've been able to do with the web UI of Domino apps using Ext. However, I hope everyone realizes how cool this other is. IBM wouldn't do it for us but you and I and maybe some others will and that is to build "JavaScript Classes" for the Domino Objects.

    • avatar
    • Brian Miller
    • Mon 26 Feb 2007 09:30 AM

    Good stuff!

    I wouldn't bother using YAHOO.namespace(), though, because you're only going one level down, and you're reassigning the namespace anyway. Just use "DEXT = {}", and you've made it simpler while saving youself an object.

    • avatar
    • Jake Howlett
    • Mon 26 Feb 2007 09:41 AM

    Hi Brian. I'll look in to this. As what I am doing is mainly a case of standing on the shoulders of giants I am merely doing as they do.

    What I need to do though is take a step back and start to understand more of what I am doing in terms of core JavaScript. For example, the "this" keyword is causing me some confusion and I find myself guessing how code works instead of understanding how. Always dangerous.

    • avatar
    • Bill E
    • Mon 26 Feb 2007 12:24 PM

    From a security perspective, is it really ok to publish some of the information in the source for JS? Would it pass a security audit? Looks great, though! =)

    • avatar
    • Jake Howlett
    • Mon 26 Feb 2007 12:50 PM

    That occurred to me as well Bill. Can't see anything in there that could be considered harmful though. Apart from, maybe, the server build, which might be of use to a hacker. Apart from that there's nothing to worry about.

    • avatar
    • Brian Miller
    • Mon 26 Feb 2007 02:38 PM

    @Jake:

    1. Read this: {Link}

    In fact, the more time you spend reading quirksmode, the more this kind of thing will click. You might even consider buying a copy of PPK's book for reference.

    2. One of the simplest functions in YUI is the namespace function, which is there to save the Y folks some typing. They use multiple levels of objects for namespacing, so if they want to create a new sub-library, they can start with:

    YAHOO.namespace( 'foo.bar.baz' );

    instead of:

    YAHOO.foo = {};

    YAHOO.foo.bar = {};

    YAHOO.foo.bar.baz = {};

    I hope that explains things a bit.

    @Bill E:

    I've had some spirited discussions with people about the security issue. What it boils down to, in my mind, is that the information coming out of the server for this sort of thing is the same, on the wire, as what you're pulling down in a regular domino-generated web page. Having it in JS or JSON is no better or worse than plain HTML. If you're worried, use HTTPS. If you're still worried, pack the script before you send it.

  2. I also have some security-concerns.

    To set full "client-side access". A simple bookmarklet will do.

    javascript:(function(){access=YAHOO.DEXT.Session.User.Access; for(item in access){if(typeof access[item] === "boolean"){access[item]= true;}}})()

    I would think that a greasemonkey-script, or a debugger like Firebug (using breakpoints) can help the user to override the access-variables before the layout is initialized..

    If you don't expose any unsecured server-side agents/etc, this will not be a problem.

  3. Sorry to double post (no edit post-button).

    If you're interested in learning about the scope of "this", Douglas Crockford (the father of JSON) has written a simple but informative article about "Private Members in JavaScript": {Link}

    • avatar
    • Jake Howlett
    • Mon 26 Feb 2007 04:31 PM

    Thanks for the links guys and the explanation Bill.

    Tommy. Yeah, yeah, very impressive. Obviously it's a doddle to "hack" it, but it's not meant as a replacement for Notes-side access control. If they' have reader access they can do what they like to the DEXT properties -- it's not going to magically give them author rights to the database now is it!?

    Horses for courses init.

  4. I only wanted to point out that every (non-native) object/property in JS is open to be read/overwritten by very simple means, not to trample on your excellent initiative for making it easier for Notes developers to make advanced applications on the web.

    Pardon my arrogance.

    • avatar
    • Jake Howlett
    • Tue 27 Feb 2007 04:22 AM

    Hi Tommy. Maybe I was a little over-defensive in my reply. Sorry about that ;o)

    It's running a blog that does it to you. You become all defensive and bite back at anything at all. I think I talked before about how it sometimes feels a bit like there's a desire to prove me wrong. Probably just me being paranoid though.

    Having re-read your post today I see it was all well meant and constructive commentary. My reply has a tone to it that I didn't really intend. Such is the problem of this form of communication.

    Anyway, don't pretend you've never written an app where - for security - you've relied on user ignorance. Come on, we've all done it.

    Jake

  5. Ext Alpha 6 is up with a hidden gem (Ctrl-Shift-Home) on any form.

    Out of curiousity, I tried this on my Notes workspace and discovered that I could "drag" database icon(s) without using the mouse, to another location on my workspace including other tabs. I can't count how many times I've started a mouse drag to another workspace tab only to have overshot the tab and have every location turned into a 'no-drop' zone along with crossed out circle as a mouse pointer.

    It's not ground breaking, but definitely a technique that I'll use from now on.

    • avatar
    • Michael
    • Wed 28 Feb 2007 10:19 PM

    The keyboard drag feature is in the help docs as Ctrl-Shift-arrow keys but it works with the Home and End keys as well.

  6. Dear Jake,

    Yours articles helped me a lot in order to learn to develop in Domino platform.

    I have found your articles on Yahoo-ext library very interesting .

    You can enclose the database, or mailed me, to unload to the study ends?

    Thanks in advance.

    p.s. Sorry for my english

    and greetings from Venice

  7. Hi Jake, this is a very interesting article - I found it very helpful to me in nailing a javascript framework to use on a personal project - so, thank you! How advanced are you on the DExt framework?

    In terms of security, I see web apps almost every day - on other platforms where sql injection and helpful error messages, can lead a hacker into many so called secure sites and databases - fortunately, most people know very little about Domino. In this case exposure is minimal and still does not overide Domino database security.

Your Comments

Name:
E-mail:
(optional)
Website:
(optional)
Comment:


About This Page

Written by Jake Howlett on Mon 26 Feb 2007

Share This Page

# ( ) '

Comments

The most recent comments added:

Skip to the comments or add your own.

You can subscribe to an individual RSS feed of comments on this entry.

Let's Get Social


About This Website

CodeStore is all about web development. Concentrating on Lotus Domino, ASP.NET, Flex, SharePoint and all things internet.

Your host is Jake Howlett who runs his own web development company called Rockall Design and is always on the lookout for new and interesting work to do.

You can find me on Twitter and on Linked In.

Read more about this site »

Elsewhere

Here are the external links posted on the same day.

More links are available in the archive »

More Content