function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion

Using portal authentication with sites and potential security problem

I have a Site built using Authenticated Website Users and Customer Portal for login. It lets users sign in via the portal login, and then they are directed to a Sites page. The portal users have read access to a custom object, but I'm determining which records they can see in the controller for the Sites page based on custom object relationships.


This works great, except for two problems:

1. If the user knows a record ID for the custom object, they can add it to the URL and see the record via the portal. This lets them get around the rules were using in the controller for which records they can see.

2. If the user happens to type 'home/home.jsp' after the sites URL they end up in the portal. They can't see anything there, but it still sloppy and it would be easy to accidentally let them see something there.


The best solution would be if we could simply turn off the portal itself and just use it for authentication, but it doesn't seem like there's a way to do this right now. Does anyone have any suggestions for how to deal with this or any experience with this problem that lead to any good work arounds?


you can't block accessing the standard pages in portal

however, you can control what object they can access and what records they can see via the portl user profile (crud, fls) and sharing rules.




Thanks for the reply Bulent, but this doesn't work quite the way I'd hoped. I can control crud for Authenticated Website User via object permissions, but there's no way to limit them to seeing specific records. Sharing would be the answer with other types of portal license, but it doesn't apply to Authenticated Website User.


The result is that there's no way that I can find to limit a record to being visible only to specific Authenticated Website User users without putting a lookup to their contact or account on the record, so we can't have one record in our custom object that's available to a group of Authenticated Website Users.


Is there some way to handle this that I haven't thought of?


yes, authenticated website user doesn't have a roles, can't be part of sharing rules and can't be part of groups.

creating lookup to contact or account is the only way of restricting the record access.