Hi everyone,

Do you know a way to test a class that uses Site.createPortalUser and expect it to be successfull?

Do we have any way to "fake" the success of this call?

I have a lot of code that depends on the success of this call and I don't know how to test it.

Cheers,

Laurent

Hi, 

I get XSRF issues on some of my VF pages when I use the security tool. The response I got from our Salesforce security contact is:

"If you convert the requests to POST, the platform anti-csrf protection automatically kicks in."

Also I can read in the security repot:

"

A more appropriate fix is to not perform actions within a GET request that will save something in thedatabase and simply change these to use a POST body instead.

"

Alright we know the solution. But how do we do that? I have searched the Visualforce documentaiton and couldn't find anything on using POST forms.

Can anyone explain to me how to do that?

Cheers,

Laurent

Hi,

I have installed Eclipse 3.5 RC2 and installed the new IDE plugin for Spring 10.

But after restarting it asks me to "upgrade" to Summer 09, and prevents me from saving.

Anybody had this issue and know how to solve this?

Cheers,

Laurent

Hi,

Our problem is quite simple but I'm puzzled:

- we have a class that uses With sharing

- it is used as a Customer portal user

- it creates a contact

- Directly afterwards if I try to retrieve the same contact, I get a QueryException

We have set up public sharing of the Contact object to public read/write and we have read/edit/create in the Customer portal profile for the Contact object.

Any idea?

Cheers,

Laurent

Hi everyone,

i have a very dodgy situation.

I get this:

System.EmailException: SendEmail failed. First exception on row 0; first error: NO_MASS_MAIL_PERMISSION, Single email is not enabled for your organization or profile.  Single email must be enabled for you to use this feature.

When I use this:

Messaging.SingleEmailMessage mail = new Messaging.SingleEmailMessage();
listEmail.add(mail);
Messaging.sendEmailResult[] results = Messaging.sendEmail(listEmail);

- The Profile has the email enable(it is by default anyway that's why so few people gets this error)

- I tried the template test feature and it works perfectly with the same Email template

- Even better! I tried to send an email from another part of our system and it worked!

My conclusion is this NO_MASS_MAIL_PERMISSION is actually hiding the real cause of the problem.

But now, what do I do?

Any suggestion?

Thanks

Laurent

Hi,

The Salesforce Source Code tool shows Serious Access Control security problems everywhere there is no With sharing keyword. 

I understand what with sharing does.

Now I want to do an object search on a public Site page. Obviously the user needs to find all the records and not only the one he created or owns. 

What is the best practice then? Should we remoce with sharing (easy one) or put it and give access to all records. 

If so, how do we do that securely? 

Cheers,

Laurent

Hi everyone,

Do you know if we can use Chatter API from a Site User and Customer Portal user?

Basically we want to access custom object feeds, and insert post. 

Cheers,

Laurent 

Hi everyone,

I am in a visualforce page with a Controller. I have a list and a command button in this page.

<apex:selectList id="country" value="{!cdt.Country__c}" size="1"> <apex:selectOptions value="{!Values}"></apex:selectOptions> </apex:selectList><apex:commandButton action="{!test}" value="{!$Label.btn_Save}" />

When I call the commandButton, the list method getValues is called BEFORE the test method.

Several questions then:

- why is it called at all? It is part of the initialization of the page and shouldn't be called when we call an action! My intuition is that it is part of the validation that is automatically called by Salesforce when we call an action. But I don't see any reason why

-  It seems that it fires the Heap size verification. And the only solution we found to control the heap size of a page (for example when you want to upload big files) is to put null in the variable holding the big data when you don't need them, which is at the end of the action method. But if this verification is fired BEFORE this action then this solution doesn't work anymore.

Any thoughts?

Laurent 

Hi,

We have a CV upload in our Customer portal page, that lets the user upload his CV in a document. When the user is logged in (so the profile switch from Site profile to Customer POrtal profile) he can access an Edit your account page, which lets him upload a new CV.

But the Customer portal user seems to not have Edit and delete Access to standard objects?

Can we do anything about that? We need to have an "upload again" feature, even if it doesn't use the Document object.

Anyone has ever uploaded things in a Customer portal environment?

Thanks in advance,

Laurent 

Hi,

We have a SOSL request that goes threw the documents:

for(Document doc:(List<Document>)[FIND :keyword1 IN ALL FIELDS RETURNING Document(id)][0]){System.debug(doc);}

 To test that we need to inser a Document object.

We use this code:

Document d = new Document(); d.Name = 'my text file'; String myContent = 'aabbcc'; d.Body = Blob.valueOf(myContent); d.ContentType = 'text/plain';d.Type = 'txt';insert d;

 But the document is never retrieved by the SOSL request. 

This works fine inside our project with Document uploaded threw the Document Tab.

We noticed that our document's field IsBodySearchable is false which might cause the problem.

But how to put it to true when you manually insert from a Test class?

Thanks,

Laurent 

Hi,

We have a page to let the user insert an object, and then do something else. If a problem occurs after the insert of this object (an exception is thrown in the next lines for example) we rollback to a previously set savepoint.

The object is rollbacked as expected (deleted from the database) but it keeps the ID set by the insert.

Then when we come back to the page to display the cause of the error and to let the user try again, we get  a:

System.DmlException: Insert failed. First exception on row 0 with id 0018000000Yb54RAAR; first error: INVALID_FIELD_FOR_INSERT_UPDATE, cannot specify Id in an insert call: [Id] 

Here is a simple page to test this behaviour:

<apex:page controller="rollTest"> <apex:form> <apex:inputField value="{!acc.name}"/> <apex:commandButton action="{!myMethod}" value="test"/> </apex:form></apex:page>

 And the controller:

public class rollTest{ public Account acc {get; set;} public rollTest(){ acc = new Account(); } public void myMethod(){ SavePoint sp = Database.setSavePoint(); try{ insert acc; Account accFake = [select id from Account where name='testFail']; } catch(Exception e){ System.debug(e); Database.rollback(sp); System.debug(acc.id); } } }

I put a debug after the rollback to show that the ID is kept in the object even if it has been rollbacked.

I thought about putting NULL in the ID but it is read only.

I thought about instantiating a new Object but then we lose all the fields previously entered by the user (of course in reality our object is way more complex than an Account). For now it is the only solution we came with even if it is obviously not acceptable.

To sum up:

A rollback keeps the ID in the object, which causes problems if we try to insert this object again. 

Thanks in advance for any information.

Laurent 

Hi,

public with sharing class testController2 {   public List<String> listTest{ get; set; }    public testController2 (){       listTest= new List<String>();        listTest.add('1');    }}

public with sharing class testController {    public testController (){        myValue = new List<String>();        myValue.add('1');    }    public PageReference changeValue() {        myValue.add('2');        return null;    }    public List<String> myValue { get; set; }}

Hi,

It seems to work in a unmanaged package and throws this exception threw an email in  a managed release package:

Site registration accountId parameter value is not valid.

Here is the code we use:

private static String PORTAL_ACCOUNT_NAME = 'Customer portal';String userId = Site.createPortalUser(u, accountId, candidate.password__c);User u = new User(); u.Username = candidate.email__c; u.Email = 'sitep'+candidate.email__c; u.CommunityNickname = candidate.firstName__c + candidate.lastName__c; String accountId = [select id from Account where name=:PORTAL_ACCOUNT_NAME].id;

 Obviously we have previously created this Account.

I also checked the security settings in the Site profile but couldn't find any difference.

Coudl it be prefix related? 

Hi,

Our project is getting bigger and   we have more and more Save to server problems from the IDE.

If I try to push our actual version to a new org from the IDE by selecting Save to server on the src directory it shows 250 errors with really light information like:

"Save error: An error occured on your page"

Now we undesrtood that this one means there's a relation to a VF page which doesn't exist (in this case because of the dependency problkem before). Then we try to save the VF page but it needs the controller. Obviously this kind of circle dependency is supposed to be resolved by the metadata API but seems to fail early in the process and stops resolving any further dependency.

The worst part: I started resolving every dependency manually and ... everything worked! I managed to save every file to the server. Now (after 7hours of dependency resolving) we do not have any more information about where to start.

Did anybody ever have this problem?

Do you know any way of resolving the dependency issue or only where to start?

Thanks

Laurent 

Hi everyone,

We have a weird problem: After packaging, and whatever type of package we use to do so, the VF page in Sites doesn't retrieve values that has been fetched in the controller.

It ONLY happens in Sites. We have used the same page from the private url and it works. In the packaging org it works on both side.

So it's definitely a Site issue  after packaging.

We tried with a unmanaged package to try and debug. But everything seems to happen ok: the controller is called, the SOQL request gets the values, no exception is sent. But in the VF page there is nothing in place of what should be displayed.

Here is a simple example:

public class cont { public String color {get;set;} public cont(){ color = [select color__c from Color__c limit 1].color__c; } } VF page:<apex:page controller="cont">Color:{!color} </apex:page>

 No exception is thrown but the color is not displayed if we use this in Site after packaging the application and install it to a DE org.

Probably linked to this problem we can't access the page aymore. We need to prefix it with the package prefix manually. By example:

http://oooooooooooooo-developer-edition.na6.force.com/default?foconfig=carreer

doesn't work but

http://oooooooooooooo-developer-edition.na6.force.com/EosTrial98__default?foconfig=carreer 

 works. 

We also noticed that the prefixed pages look a bit weird:

<apex:page controller="EosTrial98.FrontOfficeConfigExt" showHeader="false"><apex:composition template="EosTrial98__CareerSiteTemplate"> 

Isn't it supposed to be a . and not __ ?

Our direct conclusion is that everything is linked in a way. Also it seems that we started to ave these problems since middle of last week. 

Any idea?

Laurent 

Hi everyone,

Do you know a way to test a class that uses Site.createPortalUser and expect it to be successfull?

Do we have any way to "fake" the success of this call?

I have a lot of code that depends on the success of this call and I don't know how to test it.

Cheers,

Laurent

Hi,

I have installed Eclipse 3.5 RC2 and installed the new IDE plugin for Spring 10.

But after restarting it asks me to "upgrade" to Summer 09, and prevents me from saving.

Anybody had this issue and know how to solve this?

Cheers,

Laurent

Hi,

Our problem is quite simple but I'm puzzled:

- we have a class that uses With sharing

- it is used as a Customer portal user

- it creates a contact

- Directly afterwards if I try to retrieve the same contact, I get a QueryException

We have set up public sharing of the Contact object to public read/write and we have read/edit/create in the Customer portal profile for the Contact object.

Any idea?

Cheers,

Laurent

Hi everyone,

i have a very dodgy situation.

I get this:

System.EmailException: SendEmail failed. First exception on row 0; first error: NO_MASS_MAIL_PERMISSION, Single email is not enabled for your organization or profile.  Single email must be enabled for you to use this feature.

When I use this:

Messaging.SingleEmailMessage mail = new Messaging.SingleEmailMessage();
listEmail.add(mail);
Messaging.sendEmailResult[] results = Messaging.sendEmail(listEmail);

- The Profile has the email enable(it is by default anyway that's why so few people gets this error)

- I tried the template test feature and it works perfectly with the same Email template

- Even better! I tried to send an email from another part of our system and it worked!

My conclusion is this NO_MASS_MAIL_PERMISSION is actually hiding the real cause of the problem.

But now, what do I do?

Any suggestion?

Thanks

Laurent

Hi,

The Salesforce Source Code tool shows Serious Access Control security problems everywhere there is no With sharing keyword. 

I understand what with sharing does.

Now I want to do an object search on a public Site page. Obviously the user needs to find all the records and not only the one he created or owns. 

What is the best practice then? Should we remoce with sharing (easy one) or put it and give access to all records. 

If so, how do we do that securely? 

Cheers,

Laurent

Hi all, 

i'm trying to use Rich Text Field on a Salesforce site's page with a custom controller. 

I updated both the controller and Visualforce page version at 18.0 :

- the controller, after this save, works correctly 
- but when i try to saving the version of this visualforce page, the error will appear is: 
"Error: Invalid field Description__c for SObject Ospitalita__c" 
(Description__c is the Rich Text Field) 


For your info, if i insert this rich text field in a empty visualforce page, it works correctly. 
But i give the error in my site pages , which have the template tags (apex:composition and apex:insert) . 

Are "this tags" the problem? 

How can i fix it? 
I need apex:composition and apex:insert and i don't want to delete them or substitute with component.

Thanks in advance!! 

In one of my application security scanner show the following line have problem .how to fix this type of line in apex controller. 

System.currentPageReference().getParameters().get('ObjType')

Good day, 

I try using following code and i get null at all ? can someone please let me know why do i miss out to get such info ?

System.debug('domain string : ' +Site.getDomain());

System.debug('getCustomWebAddress string : ' +Site.getCustomWebAddress());

System.debug('getCurrentSiteUrl String :' +Site.getCurrentSiteUrl());

System.debug('Sub domain String :' +Site.Subdomain);

System.debug('TopLevelDomain String :' +Site.TopLevelDomain);

System.debug('getOriginalUrl String :' +Site.getOriginalUrl());

between, i would like to get the organization instance name but is there a method to retrieve it ?

ie: www.mycompany.com.jp ....what i want is to get back the 'mycompany' ? how i can do that ?

Thank you ! 

If your web-application allows users to upload custom HTML and Javascript content (email templates, custom sites, attachments, etc.), you must ensure that adequate protections are in place to prevent users from launching XSS attacks (privilege escalation, data-leakage, cookie theft, etc.) against other users of the application. Additionally, if your application is vulnerable to CSRF, the attacks can be carried out by malicious (unauthenticated) users. 

There's a number of different approaches that be taken to address this security concern:

1) Alternate domain (Recommended)
Let’s say cookies are scoped to https://app.site.com.  Even if customers can upload arbitrary content, you can always serve the content from an alternate domain that is outside of the scoping of any trusted cookies (session cookies and other sensitive information).  As an example, pages on https://app.site.com would reference customer-uploaded HTML templates as IFRAMES using a link to https://content.site.com/cust1/templates?templId=13&auth=someRandomAuthenticationToken

The authentication token would substitute for the session cookie since sessions scoped to app.site.com would not be sent to content.site.com.  This is exactly the method that salesforce.com uses for our content product.

2) Alternate syntax
Some products, like wiki’s, have an alternate syntax that can be used by clients to indicate particular markup and formatting.  This allows clients to format content without directly using HTML.  Server-side rendering is done to translate the non-HTML markup into safe HTML.  Many WYSIWYG editors support such alternate markup syntax.

3) Whitelisting
The last option that I’m aware of is to “sanitize” HTML input from users.  Basically, you maintain a whitelist of allowed tags, the allowed attributes for each tag, and validation/transform routines for each attribute and each tag.  HTML sanitization can be very complicated and this technique becomes heavily browser dependent.   You also have other practical problems like the handling of invalid and unparsable HTML.

The best example of this technique in the wild is Gmail.  I’d suggest sending an HTML email containing every possible HTML tag, each with every possible HTML attribute, to a Gmail account and reviewing the changes that Gmail makes on the HTML delivered to the user.   You’ll see that there is a significant amount of logic that goes into sanitizing HTML.  It is a hard problem to fix correctly.

I updated my version of firefox to 3.6. 

After the updated I notice a strange behavior on visual force pages while in developer mode. 

When I go to a visual force page for the first time it displays a white screen.  No borders no heading nothing a completely white page. 

I hit refresh then the page displays correctly.  This was not happening in version 3.5 of firefox.  Has anyone else experianced any strange behavior with VF pages in Firefox 3.6

When not on developer mode the page renders correctly.

Thanks

I am in the middle of debugging an Apex/Visualforce application, and the maintenance that just occurred this evening (1/22/10) just completely changed the behavior of the debug logs.  Two problems with this new behavior:

- My filter settings don't seem to be saving.  For instance, when I change my filter settings to "FINEST" in Apex Code and Save, those changes do not show up when I go to filter settings again.

-MOST IMPORTANT: the log line does not show the method name. Here is an example of the new format:

23:35:20.832|CODE_UNIT_FINISHED
23:35:20.833|CODE_UNIT_STARTED|[EXTERNAL]VForcePage
23:35:20.840|USER_DEBUG|[157,4]|DEBUG|***s.Id b4: a4yQ000000000DAIAY
23:35:20.840|DML_BEGIN|[159,3]|Op:Upsert|Type:BP_Stage_Rule__c|Rows:1

Notice - no method name in any of the debug lines.

I went to the Help and Training to find out if I am doing something wrong. It says the event identifier will log "any additional information logged with that event, such as the method name or the line and character number where the code was executed."  But they give an example pretty much like the one I copied and pasted in here -- no method name.

If anyone has any insight on how to get the method name to show or how to get the old debug log format to show, please be so kind as to respond.  If this is not possible, then salesforce just got 10 times harder to debug in my book.

Thanks for any help!