One issue he has hit is with a bug in the Flash Player which means for non IE browsers session authentication is not sent with the fileupload HTTP Post. This means currently only anonymous individuals can upload attachments on non IE browsers. This of course could be a real problem for applications which require users to sign in – is there any that don’t?
To get around this I have been brainstorming an idea which hopefully gets around this problem.
My original suggestion was just to allow the post to go to a design element which allows Write Public access and have an agent do the actual attaching – a proxy service. The problem is this HTTP Post could then be executed by anyone who could see the HTTP traffic – though the actual agent would expect a valid UNID and discard anything else, this in turn with the fact that this would only work for documents which an originally authenticated user could see (to get the UNID) mitigates the risk quite allot.
The following flowchart describes a process which should mitigate even that issue.
It basically shows that the initial request to Domino is to a restricted agent to create a stub document which in turn returns the UNID of this stub document. This stub document UNID is then used to post the attachment via the public access agent – this agent will then look for the stub document to complete the request. No stub document then no attachment.
As a new stub document is created for each request (and then discarded) it shouldn’t be possible for anonymous user to reuse the HTTP Post.