Wednesday, March 22, 2006

Security Issue with MultiTemplate DocLib

The reason for the pull back of v1.1 is that as I tested the doc lib with a non-admin user, an authentication problem arise.

My initial idea is to store all the local templates in the Forms folder. However, I found out that non-admin user will not be able to access files in the Forms folder. I found a workaround for this. I just create another folder(named documentTemplate) in the doc lib and store those templates in this folder. My code will then read all those templates from this folder.

As i continue testing, I found another security issue. When a non-admin user create a new document from a template stored in global template (under _layouts/documentTemplate), the user get a authentication dialog. Word, Excel and Powerpoint handle this differently. In Word and Excel, if you click Cancel in the dialog, the template that you select will still open. In Powerpoint, however, the template will not be open. This issue also happen in v1.0 which I have not tested with non-admin user.

I am still in the middle of finding out why there is an authentication dialog. Will update once I found the solution.



Post a Comment

<< Home