function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion

Create Case on Unauthenticated Site VF page

Hey all, (apolgoies for cross posting but on reflection I think my question might be better placed here)


Anyway, here's a background to what I'd like to do. I have a custom object (Order) which has a status field. When this status field is changed to a certain value I want to sent an email to the Order customer. This is straight forward out of the box funcationality so that's not a problem.


Here's where I get stuck. In this email I'd like to include a link to a custom Visualforce page, including the Order Id as a query string. The recipent would click the link and be taken to this VF page. The requirement is that the receipent should not have to login to SFDC to view this page. This VF page will contain one or two fields (probably a datetime type) which the receipent completes and then presses a command button. This command button will trigger code in the controller that will create a case with predefined data as well as the data entered by the receipent.


That's it. Not too complex, but I'm not sure if I can do this all without authenticating the user. Can anyone advise please?





In the configuration for the site, it needs to have the proper security allowances.  I recommend the following ONLY if you're using a custom Visualforce controller that is not an extension (ie, the default structure of the StandardController, controller extensions is not secure enough for the unauthed approach)


Site > Public Access Settings

Case Field Level Security - All fields that are written from the page need to be checked as visible

Case - Create permission checked


Thanks for your reply Paul.


Just to confirm what you mean:

My controller should not extend a StandardController, but should be a complete custom "stand alone" controller that creates the Case?


you got it.  that way, you control exposure of data, and you don't open it up to returning data you weren't expecting to, as well as ensuring you don't overexpose as you start to expand usage of Sites.  it's not fool-proof, but it's effectively as safe as it gets when it comes to anonymous access.  it's the approach we use for our custom web-to-case running on VF, and it works quite well.


Great, thanks. I appreciate the response.