• sai man 1
  • NEWBIE
  • 0 Points
  • Member since 2014

  • Chatter
    Feed
  • 0
    Best Answers
  • 0
    Likes Received
  • 0
    Likes Given
  • 2
    Questions
  • 4
    Replies
Hi ,

I am trying to build a managed package and while running a check marx code scane I am coming across the security risk on sharing keyword. And on further drilling it is stating like "All entry points to an app (Global or Controller classes) must use the 'with sharing' keyword. Classes without this keyword run without sharing if they are entry points to your code, or with the sharing policy of the caller. Do not omit the sharing declaration as this hides critical security information in side-effects that can change when code is refactored. Only declare classes as 'without sharing' if they are not entry points to your app and if they only modify objects whose security is managed by your code (such as wizard state, or fields in a site). It is a common misconception to believe that batch apex or async apex must run with the global keyword. This is not true, the only classes that must be global are those that expose webservices or are intended to be used by extension packages. All async apex should run as public in order to avoid creating privileged entry points to your app." My controllers have without sharing mentioned and I want it to execute in System Mode only so please can you suggest how to overcome the security risk.
I am trying to implement the 'Allow external users to self-register' for external users of my community portal. I am using the standard page CommunitiesSelfRegConfirm and the associated controller,but Site.createPortalUser () is returning null. I have attached te corresponding VF nd Apex , basically they are the default communityself registration pages.Please provide your valuable imputs in resolving this.
 
VF
======
<apex:page id="communitiesSelfRegConfirmPage" controller="CommunitiesSelfRegConfirmController" showHeader="true" cache="false" title="{!$Label.site.registration_confirmation}" >
    <apex:form forceSSL="true"> 
    <apex:define name="body">  
      <center>
        <apex:panelGrid bgcolor="white" columns="1" style="align: center;"> 
          <br/>
          <br/>
          <apex:panelGrid width="758" cellpadding="0" cellspacing="0" bgcolor="white" columns="1" style="topPanel"> 
            <br/>
            <apex:outputPanel layout="block" styleClass="topPanelContainer">
              <apex:panelGrid width="758" cellpadding="0" cellspacing="0" bgcolor="white" columns="2"> 
                <apex:image url="{!URLFOR($Resource.SiteSamples, 'img/clock.png')}"/>
                <apex:panelGroup >
                  <br/>
                  <apex:outputText styleClass="title" value="{!$Label.site.thank_you_for_registering}"/>
                  <br/>
                  <br/>
                  <apex:outputLink value="{!$Page.CommunitiesLogin}" rendered="{!$Site.LoginEnabled}">{!$Label.site.go_to_login_page}</apex:outputLink>
                  <br/>
                </apex:panelGroup>
              </apex:panelGrid> 
            </apex:outputPanel>
            <c:SitePoweredBy />
          </apex:panelGrid> 
       </apex:panelGrid>
      </center>
      <br/>
    </apex:define>
    </apex:form>
</apex:page>
 
Apex
======
/**
 * An apex page controller that supports self registration of users in communities that allow self registration
 */
public with sharing class CommunitiesSelfRegController {

    public String firstName {get; set;}
    public String lastName {get; set;}
    public String email {get; set;}
    public String password {get; set {password = value == null ? value : value.trim(); } }
    public String confirmPassword {get; set { confirmPassword = value == null ? value : value.trim(); } }
    public String communityNickname {get; set { communityNickname = value == null ? value : value.trim(); } }
    
    public CommunitiesSelfRegController() {}
    
    private boolean isValidPassword() {
        return password == confirmPassword;
    }

    public PageReference registerUser() {
    
           // it's okay if password is null - we'll send the user a random password in that case
        if (!isValidPassword()) {
            ApexPages.Message msg = new ApexPages.Message(ApexPages.Severity.ERROR, Label.site.passwords_dont_match);
            ApexPages.addMessage(msg);
            return null;
        }    

        String profileId = '00e90000001BjbTAAS'; // To be filled in by customer.
        String roleEnum = null; // To be filled in by customer.
        String accountId = '0019000001K0ObF'; // To be filled in by customer.
        System.debug('profileId '+profileId +'roleEnum'+roleEnum +'accountId'+accountId);
        String userName = email;
        String userId=null;
        User u = new User();
        u.Username = userName;
        u.Email = email;
        u.FirstName = firstName;
        u.LastName = lastName;
        u.CommunityNickname = communityNickname;
        u.ProfileId = profileId;
        System.debug('check here'+userName+','+email+firstName+firstName+communityNickname+','+profileId);
        try{
        userId = Site.createPortalUser(u,'  0019000001K0ObFAAV', password);
        }
        catch(Exception e)
        {
        System.debug('ERROR:' + e);
        }
        System.debug('this is it'+userId );
        if (userId != null) { 
            if (password != null && password.length() > 1) {
                return Site.login(userName, password, ApexPages.currentPage().getParameters().get('startURL'));
            }
            else {
                PageReference page = System.Page.CommunitiesSelfRegConfirm;
                page.setRedirect(true);
                return page;
            }
        }
        return null;
    }
}

 
Why action region tag in visualforce page ? plz any one can explain with suitable example...