function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
WesNolte__cWesNolte__c 

Standard Object access "Hack" in Customer Portal

One for the admins.

 

By changing the class declaration of my page controllers (with/without sharing) I can give my classes access to standard objects that customer portal users shouldn't have access to. I'd like to know if this is a security hole and if I'm in danger of it being closed as that would mean vastly changing the user experience for my 1.7 million portal users.

 

Wes

Best Answer chosen by Admin (Salesforce Developers) 
mtbclimbermtbclimber

Thanks for the question Wes.

 

We have no plans to close the ability to cross over license restriction boundaries with Apex because that would defeat the purpose of system mode. You could not, for example, maintain a business rule in your CRM system if Apex failed because the user's license restricted him/her from making the legitimate change in the system that tests the rule.

 

You should know, however, that we monitor occurrences of license restriction cross over for abuse.    As long as you are simply enforcing rules or otherwise leveraging data to control UI treatment, for example showing something different in a portal for a customer with an open opportunity vs. one without then you should be fine.  

 

If your customer portal users aren't actually customers (or potential customers) then you probably have reason to be concerned. :)

All Answers

mtbclimbermtbclimber

Thanks for the question Wes.

 

We have no plans to close the ability to cross over license restriction boundaries with Apex because that would defeat the purpose of system mode. You could not, for example, maintain a business rule in your CRM system if Apex failed because the user's license restricted him/her from making the legitimate change in the system that tests the rule.

 

You should know, however, that we monitor occurrences of license restriction cross over for abuse.    As long as you are simply enforcing rules or otherwise leveraging data to control UI treatment, for example showing something different in a portal for a customer with an open opportunity vs. one without then you should be fine.  

 

If your customer portal users aren't actually customers (or potential customers) then you probably have reason to be concerned. :)

This was selected as the best answer
WesNolte__cWesNolte__c

Thanks Andrew. Doing some due diligence and I needed the answer from someone who knows the product, not just a "Sales Engineer".

 

I was experimenting anyway and it seems like the "cross over" has been plugged in most places anyway. I assure you that I'm only doing this for customer facing stuff although I realise your message isn't just for me ;)

 

Thanks again,

Wes