You need to sign in to do that
Don't have an account?
Standard Object access "Hack" in Customer Portal
One for the admins.
By changing the class declaration of my page controllers (with/without sharing) I can give my classes access to standard objects that customer portal users shouldn't have access to. I'd like to know if this is a security hole and if I'm in danger of it being closed as that would mean vastly changing the user experience for my 1.7 million portal users.
Wes
Thanks for the question Wes.
We have no plans to close the ability to cross over license restriction boundaries with Apex because that would defeat the purpose of system mode. You could not, for example, maintain a business rule in your CRM system if Apex failed because the user's license restricted him/her from making the legitimate change in the system that tests the rule.
You should know, however, that we monitor occurrences of license restriction cross over for abuse. As long as you are simply enforcing rules or otherwise leveraging data to control UI treatment, for example showing something different in a portal for a customer with an open opportunity vs. one without then you should be fine.
If your customer portal users aren't actually customers (or potential customers) then you probably have reason to be concerned. :)
All Answers
Thanks for the question Wes.
We have no plans to close the ability to cross over license restriction boundaries with Apex because that would defeat the purpose of system mode. You could not, for example, maintain a business rule in your CRM system if Apex failed because the user's license restricted him/her from making the legitimate change in the system that tests the rule.
You should know, however, that we monitor occurrences of license restriction cross over for abuse. As long as you are simply enforcing rules or otherwise leveraging data to control UI treatment, for example showing something different in a portal for a customer with an open opportunity vs. one without then you should be fine.
If your customer portal users aren't actually customers (or potential customers) then you probably have reason to be concerned. :)
Thanks Andrew. Doing some due diligence and I needed the answer from someone who knows the product, not just a "Sales Engineer".
I was experimenting anyway and it seems like the "cross over" has been plugged in most places anyway. I assure you that I'm only doing this for customer facing stuff although I realise your message isn't just for me ;)
Thanks again,
Wes