Apex Code Development You need to sign in to do that
Don't have an account?
Sibendu Das Restrict guest users in Experience cloud site from accessing getConfig or getObjectInfo
Dear Experts,
I am exploring vulnerabilties in Experience Cloud sites as per following article:
https://www.varonis.com/blog/abusing-salesforce-communities
My guest user profile does not have any permisison to any objects, APIs or anything else.
In Sharing setting setup, "Secure guest user record access" checkbox s selected.
Even after that the guest user profile and guest user settings, it still allows guest user to access site configuration data (aura://HostConfigController/ACTION$getConfig
Data), and object details (aura://RecordUiController/ACTION$getObjectInfo)
It is only applying recod level access i.e. guest user cannot access any records, other than its own user record.
Is it possible to restrict guest users further from accessing site configuration?
Thanks in advance.
Regards
Das
I am exploring vulnerabilties in Experience Cloud sites as per following article:
https://www.varonis.com/blog/abusing-salesforce-communities
My guest user profile does not have any permisison to any objects, APIs or anything else.
In Sharing setting setup, "Secure guest user record access" checkbox s selected.
Even after that the guest user profile and guest user settings, it still allows guest user to access site configuration data (aura://HostConfigController/ACTION$getConfig
Data), and object details (aura://RecordUiController/ACTION$getObjectInfo)
It is only applying recod level access i.e. guest user cannot access any records, other than its own user record.
Is it possible to restrict guest users further from accessing site configuration?
Thanks in advance.
Regards
Das
Can you check below settings?
https://trailhead.salesforce.com/content/learn/modules/nonprofit_volunteer_website/configure-data-access-for-your-site
Thanks,
Thank you very much for your response. I have checked this about controling data shared with additional sharing rules.
However my question is different - can we restrict guest users from accessing site configuration?
Currently it seems that guest users can pull lot of site configuration information by using this method - aura://HostConfigController/ACTION$getConfig
Does Salesforce provide a configuration option to bock this? Or is this by design?
Regards
Das
As per my understanding, you would need to restrict lightning app accessible to guest users by removing the ltng:allowGuestAccess interface.
https://developer.salesforce.com/docs/component-library/bundle/ltng:allowGuestAccess/documentation
There is no option to block any component for guest users on experience builder site.
Hope this helps...
Thanks,