You need to sign in to do that
Don't have an account?
YWAMRTOadmin
Create data in (managed) Custom Object
This is what I'm imagining:
Person goes to {site}.force.com/registration
a form comes up with standard conatct information.
They fill out the form and it populates data in a (Managed) custom object.
The data can then be dealt with.
First off, is this possible? Every time I try to use a VF page with the inputfields from the object, I get a log in. I need there to be no login as this will be a customer signup-like page.
you need to go into the security for the site and allow the insertion of records for that custom object. be careful though, as there are specific security concerns you need to take into account when allowing data to be written anonymously, specifically, i HIGHLY recommend not using the standardController for the object, and rather, writing your own controller, with limited functionality (inserts data, but no methods for retrieving it back to the user).
an example of how this could go wrong if using the standardController:
1. You have <apex:inputField> items in your page
2. You allow the Force.com Site to read records in your org.
3. Attacker uses a script to "guess" your record ID's
4. When your page is visited via <company>.force.com/page?id=<guessedID> , the record's information is dispjlayed to the attacker.
this is because the standardController for default and custom objects allows for the "id" parameter to be passed to the page, and it will pre-populate the input fields for the selected record. This is usually done to allow for record updates to be enabled easily, but in an anonymous implementation, it's pretty blatantly a security hole.
I'm not trying to scare you, but rather trying to educate and warn based on past experiences. We were close to rolling out a more intelligent Web-to-Case form in Force.com Sites, and I found this out prior to launch, thankfully. If I hadn't, all an attacker would need to do is guess RecordID's to get our customer info. Yes, the risk of this happening is small due to the randomness of the ID's, it's still a concern that needs to be addressed if you are handling customer info in conjuntion with apex:inputField .
All Answers
you need to go into the security for the site and allow the insertion of records for that custom object. be careful though, as there are specific security concerns you need to take into account when allowing data to be written anonymously, specifically, i HIGHLY recommend not using the standardController for the object, and rather, writing your own controller, with limited functionality (inserts data, but no methods for retrieving it back to the user).
an example of how this could go wrong if using the standardController:
1. You have <apex:inputField> items in your page
2. You allow the Force.com Site to read records in your org.
3. Attacker uses a script to "guess" your record ID's
4. When your page is visited via <company>.force.com/page?id=<guessedID> , the record's information is dispjlayed to the attacker.
this is because the standardController for default and custom objects allows for the "id" parameter to be passed to the page, and it will pre-populate the input fields for the selected record. This is usually done to allow for record updates to be enabled easily, but in an anonymous implementation, it's pretty blatantly a security hole.
I'm not trying to scare you, but rather trying to educate and warn based on past experiences. We were close to rolling out a more intelligent Web-to-Case form in Force.com Sites, and I found this out prior to launch, thankfully. If I hadn't, all an attacker would need to do is guess RecordID's to get our customer info. Yes, the risk of this happening is small due to the randomness of the ID's, it's still a concern that needs to be addressed if you are handling customer info in conjuntion with apex:inputField .