Quick Tip On Refreshing Templates

Was watching another one of David Leedy’s NotesIn9 videos the other day, and he mentioned how he likes to use local templates for development and throughout the day is constantly pushing the changes up to the the server database using Application >> Refresh Design…   I do the same thing because it’s so much faster to do XPages development on a local NTF.

This is just a small tip, but if you’re not aware of this it will save you lots of clicks during the course of a day.

Create a custom toolbar button for the Notes “Workspace” toolbar that does @Command([DesignRefresh]).  With this you can click once on the database that you want to push the changes to select it, click the toolbar button, and hit ENTER twice.*

Before I noticed this @Command and it clicked in my head to put it in a button, I used to right-click on the db icon and go through the menus every time.

If you’re not familiar with creating your own buttons in Notes, you’re probably not alone.  It’s not in a place most people typically go…

  1. In Notes, go to File >> Preferences
  2. On the left, expand Toolbar and click Customize
  3. Select “Workspace” for the Toolbar to Customize
  4. Click the New >> Button
  5. Use “Design Refresh” for the Button Caption and Popup Help text
  6. Use @Command([DesignRefresh]) for the formula , and hit OK.

*  For this to work easily, make sure your templates are in the root of your local Notes data folder.


Phishing at a new level (another company hit by this)

Update 02/23/2016:

I was speaking with another of one my customers ( a similar, small hi-tech firm)  and they have also been hit with the same kinds of precisely targeted emails to their Accounts Payable person.  In their case, the one email said it was from the president and a second attempt said it was from the CFO.  They told me the one from the CFO “even sounded like the way she talks.”

Note: In reviewing these emails you can look at some of the message fields to get more information.   Select a message in any view in your mail file and use ALT-ENTER to bring up the Document Properties box.  There you can use the second tab to examine field values.

Compare the From field to the SMTPOriginator field (it will have one if it originated outside of your organization), and the ReplyTo field.   Also, look at the $MessageID field to get info about the server it went through.

OR is you have the email open (which is a judgement call whether or not you want to risk opening it),  you can use View >> Show >> Page Source to view the message headers to see this information.


You can report these types of attacks to:

FTC  –  www.ftccomplaintassistant.gov

FBI Internet Crime  –   ic3.gov


Phishing at a new level (at a 2nd company)

They are getting sneakier at this…

One of my customers is a small, high-tech firm.  Their financial officer got an email from the company’s President, specifically to her asking for her to wire him a large sum of money, right away.    The body of the email said something like:


I’m traveling and need you to wire me $260,500 immediately to ____  .  I’ll fill you in on the details later, but I need you to send it right away.



It was completely personalized, marked urgent, written in grammatically correct English, and the From field had John’s correct email address (the SMTPOriginator and ReplyTo had a different email).  Talk about targeting!   Fortunately, she would never do that without speaking to him, but I could definitely imagine this working if the small company had an unpredictable boss.

To prevent this in the future, I’ve set their anti-spam service to block any inbound messages that say they are from their own email domain (since, those should only be going outbound).

Also, some of the emails used an email address where they added an extra lower-case “l” in the mail domain portion, in this case, butted up to an “h” — so it was barely noticeable.    (ex. johndoe@abcdefgh.com was used as johndoe@abcdefglh.com ) .  So, I also blocked several with similar domain misspellings.)

Thought others might want to be aware of this one, too.


Update 02/23/2016:

I was speaking with another of one my customers ( a similar, small hi-tech firm)  and they have also been hit with the same kinds of precisely targeted emails to their Accounts Payable person.  In their case, the one email said it was from the president and a second attempt said it was from the CFO.  They told me the one from the CFO “even sounded like the way she talks.”

Note to IBM: Never use the word “legacy”

Sorry to start the New Year with a complaint, but man, this annoys the $h!T out of me!

Yesterday I was at a customer’s office getting some new engineering students up and running with Notes.   When one of them mentions being less than thrilled to have to use Notes, I start championing the product -explaining the reasons why a smart engineering research company like this one continues to it.

So we go to set up his Android to use Traveler, and although I’ve seen it before today (they added it in a Traveler Fix Pack, no less!) it really bugged me to see the Traveler Page give the options:

Download the IBM Verse client for Android from the app store
Download the legacy IBM Traveler client for Android

Dear IBM,

First of all, hijacking Traveler’s set up page and putting the Verse link above the Traveler link is such a blatant attempt to push your new product, that it looks like a cheap trick.  Plus, on many devices the links run together, looking like it is a single link.

More importantly to Domino customers is that so many factions have been trying to get them to switch to something else for years (no, decades), and one of the best features added to Domino in recent years that has helped keep customers from doing just that is Traveler.  Many people love it.  So, to call one of Domino’s best features “legacy” is like poisoning your own well.

To IBM product marketing, I wish you well, but just switching to the latest IBM stuff is not a likely option for hardly any of the SMB companies that I work with.  So, to think they’ll just adopt it because you’d like them to is just wishful thinking.  Right now, you’re just confusing them.  If you stand half a chance of them doing it in the future, it will because they feel good about keeping and using Domino.

Never use the word “legacy” in your own product about your own product.


Easy Way To Prevent Browsers From Hacking Into Views (take #2)

After the previous post, Nathan pointed out how simple it is to turn off JavaScript in the browser.

So okay, I should’ve thought of that. But after doing some testing and I found that the technique still prevents views from being accessed because even if JavaScript is disabled the user will only see a blank page.

Which got me thinking… it may be better to do it without any JavaScript by putting an HTTP META refresh in the HTML Head Content of the $$ViewTemplateDefault FORM with the formula:

"<meta http-equiv=\"refresh\" content=\"0;URL='/" + @WebDbName + "'\" />"

To recap: If a browser tried to hack your URL by guessing the name of a real view (ex. http://www/acme.com/db.nsf/all), Domino will try to use the default view template to display the view, but the META refresh will redirect the user back to the base URL of the NSF, which will force it to use the application’s launch property to take the user where you want them to be.

If the view name they try is not a real view in your database, they’ll get a different error that the design element does not exist. So, it might be a good idea also create a $$ReturnGeneralError FORM from a copy of the $$ViewTemplateDefault.

Easy Way To Prevent Browsers From Hacking Into Views

The other day I saw a post from Steve Zavocki “Quick Tip: Don’t Forget to Hide Views from Web Browsers”  (http://notesspeak.blogspot.com/2015/09/quick-tip-dont-forget-to-hide-views.html) which reminded me of a technique I’ve used on XPages applications to restrict anyone from guessing a view name to peek at the data.

One line of JavaScript does it!

Simply create a $$ViewTemplateDefault FORM with a Computed Text element with the formula:

"<script>window.location=\"/" + @WebDbName +"\";</script"

Important: WordPress gave me a hard time about displaying script tags. You can copy this code directly, but will need to add a closing angle bracket (>) before the final quotation mark.

Then highlight the Computed Text and mark it as Pass-Thru HTML. Finally, save the form.

Any time a browser tries to open a view by guessing a name (ex. http://www.acme.com/db.nsf/all?OpenView), the browser will be redirected to the database name (in our example: http://www.acme.com/db.nsf), which then uses the Application Property on the Launch tab for “When opened in a browser” to direct it where you want users to go by default. It’s nice because this protects all your views in this database. Plus since the formula uses the @WebDbName function, you can copy this form and use it in any database.

( And if you are using some traditional web views in this same application, you can create specific a $$ViewTemplate for each of them.)


Update 09/21/2015  –  Thanks Nathan, for the reminder about how simple it is to disable JavaScript.  The above technique still prevents views from being accessed because if JS is disabled, the blank form is displayed to the user.

Alternatively, we can do it without JavaScript by using the HTTP META refresh in the HTML Head Content with this formula:

"<meta http-equiv=\"refresh\" content=\"0;URL='/" + @WebDbName + "'\" />"

MWLUG – and now a word from our sponsors…

MWLUG was a great conference.  It is always very inspiring to see all the ways these hard-core individuals are stretching the boundaries what can be done with Notes and Domino, integrating it with lots of new technologies (or at least technologies that are new to me ‘-).

Unfortunately from what I understand, sponsors were a bit disappointed by the amount of traffic at their booths.  I can understand that if your job is in sales that you want to see direct results from your efforts.

However, I’d like to point out that although MWLUG may not have generated a lot of new leads for the sponsors, sponsorship is really important for keeping the Notes/Domino market alive. LUG attendees are really the most ardent champions of the product, and we are the ones that are doing the most to keep companies from leaving it for other technologies. Unfortunately, since most of us have been to lots of LUGs and IBM Connect/Lotuspheres we are pretty familiar with most of the sponsors and their products.

My point is that from a direct accounting perspective it may not look like LUG sponsorship brings a good return on investment, but from a larger perspective, sponsorship is the most cost-effective thing your companies can be doing to keep the market for your products alive.

When I tell my customers that I’m flying off to attend an event, it gives them the reassuring message that the products are being used by lots of others – which is a good message to counter all the FUD that they’re hearing from the competition.

Thank you for sponsoring LUG events.  We really appreciate it.