"What you're suggesting then is to design outside of the standard Domino paradigm and separate the form the user sees from the stored document with a WQS agent to tie the two together? Seems a big step to take, but, I guess, should the situation demand that level of paranoia it's the only way to go. So you'd never see a ?EditDocument URL?"
Exactly. When you have credit card info or customer data you MUST take every precaution not to expose that data. On UP1 if somebody requests a "My Account" update then a temporary document is created (albeit minus some very important details such as the credit card number). That document will only last for a maximum of 10 minutes after creation/modification by the user, and it will never directly update the original document. It is added and a change logged in against it which is resolved at a later date *if* somebody places an order afterwards. (Stops people creating a valid account, submitting on order, then changing the billing/deliver address after ordering).
"What you're suggesting then is to design outside of the standard Domino paradigm and separate the form the user sees from the stored document with a WQS agent to tie the two together? Seems a big step to take, but, I guess, should the situation demand that level of paranoia it's the only way to go. So you'd never see a ?EditDocument URL?"
Exactly. When you have credit card info or customer data you MUST take every precaution not to expose that data. On UP1 if somebody requests a "My Account" update then a temporary document is created (albeit minus some very important details such as the credit card number). That document will only last for a maximum of 10 minutes after creation/modification by the user, and it will never directly update the original document. It is added and a change logged in against it which is resolved at a later date *if* somebody places an order afterwards. (Stops people creating a valid account, submitting on order, then changing the billing/deliver address after ordering).