function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
csorrowscsorrows 

Can you bypass object permissions for Customer Portal users?

I posted another thread on the Sites forum dealing with an issue I'm having with our Customer Portal, but not getting much traction there, so am rephrasing the topic and posting here instead.

 

Basically, here's what I'm facing... we're using the Customer Portal so that our customers have access to Cases, Assets, etc. but there are some things Customer Portal users cannot do out-of-the-box, such as deleting Contacts or editing Asset data.  We want to give them as much self-service as we can in certain areas, and we DO want them to be able to delete unneeded Contacts, and edit some Asset information.  For example, one use case is we have asset install addresses on the Asset object they should be able to maintain.

 

Since you cannot assign the appropriate object permissions to a Customer Portal profile (even a custom one like we use), I'm trying to find out if I were to develop a custom controller and Visualforce page, could I circumvent the object permissions restrictions for customer portal users, and "do my own thing" with manipulating those objects?

 

For example, even though I cannot assign Asset object edit permission for a customer portal profile, could a custom controller and Visualforce page be used to let them edit Asset information, since the Apex code is running in some type of system context?  Or am I still going to run into problems because Visualforce might still be preventing them from doing something because of the object permissions?  It's my understanding Visualforce still enforces some of the object permissions even though the backend Apex is running in system context - is that correct?

 

Any ideas on how to do this would be greatly appreciated.  Thanks in advance!

csorrowscsorrows

Sorry for the bump, but does anybody know if this can be done?

 

Thanks!

Jeff MayJeff May

Your own VF pages and controllers are still governed by record access rules -- otherwise, all kinds of bad things could happen.  First, I would think long and hard about letting customer portal users actually delete records -- of any kind.  These are your corporate records.   A much safer approach would be to allow the Customer portal users the ability to 'check' a field on a record that says "I'm done with this record and would be OK if it got deleted".  Then, you can have an in-house resource review and data-clean as appropriate.

 

Cases and Assets should almost never be deleted, since they provide the historical data for your metrics.

 

csorrowscsorrows

Thanks for the suggestion about a "can be deleted" type of field.  I might have to implement something like that if records cannot be deleted (contact records were the only type of object we were considering them being able to delete).

 

Is there no way around object permission restrictions for customer portal users at all?  We really would like them to be able to edit certain Asset fields such as custom Install Address fields we have on Asset objects.

 

Thanks!