function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
stv_devstv_dev 

Invoke Apex Web Service from Custom Button in Professional Edition

H,

i have some process in my managed package that deletes records and recreates it again.

Can someone confirm if below solution will work in Professional Edition?
maybe by PE token, Client ID or any other solution.

 

Custom button with Execute JavaScript Behavior that invokes Apex Web Service
 
Custom Buton Code:
{!requireScript("/soap/ajax/26.0/connection.js")}
{!requireScript("/soap/ajax/26.0/apex.js")} 
var result = sforce.apex.execute("ClassName","MethodName", {methodVariable:record.Id}); 
 
-----------------------------------
Apex Code:
global class ClassName {
    webservice static String MethodName(String methodVariable)
    {
    ...
    }
}
 
 
 
Thank you
Best Answer chosen by Admin (Salesforce Developers) 
aalbertaalbert

By default there should not be any security issue with you putting a visualforce page/apex behind a custom button. That is very common. Check out the security.force.com coding guidelines to see if that helps identify what will resolve that security issue in your code. 

 

http://wiki.developerforce.com/page/Secure_Coding_Cross_Site_Request_Forgery

http://wiki.developerforce.com/page/Secure_Coding_Guideline

All Answers

aalbertaalbert

No, I wouldn't do it that way using the AJAX toolkit. That is not allowed since the clientId will be exposed as plaintext: 

http://www.salesforce.com/us/developer/docs/packagingGuide/index_Left.htm#StartTopic=Content/dev_packages_api_access.htm#dev_packages_api_access

 

Instead, could you put a Visualforce page behind the custom button that invokes apex logic to do the same thing? The page is really just a way to invoke the apex and not really a UI?

 

 
stv_devstv_dev

HI aalbert,

 thank you  for quick response.

Actually it was my original solution:

calling VF page , delete / create records runs during the page loading (in constructor )  and after completing, redirects to standard page layout record.

 

But Salesforce checkmark tool that checks security of the code, recognized delete records as

Serious Security Risk(Cross-Site Request Forgery (CSRF)).
i got suggestion to change the process from get to post method.
 
Thanks
 
aalbertaalbert

By default there should not be any security issue with you putting a visualforce page/apex behind a custom button. That is very common. Check out the security.force.com coding guidelines to see if that helps identify what will resolve that security issue in your code. 

 

http://wiki.developerforce.com/page/Secure_Coding_Cross_Site_Request_Forgery

http://wiki.developerforce.com/page/Secure_Coding_Guideline

This was selected as the best answer
stv_devstv_dev

Thank you!