You need to sign in to do that
Don't have an account?
FdeBergeyck
Login with different user in S-control
Hello,
I have a user access problem, and was wondering if someone could help me. Here is my problem:
I want to run an s-control that will be invoked by a standard user, but the s-control needs to get data that is only accessible to an administrator. I tried the following, but it doesn't work:
<HTML>
<head>
<script language="JavaScript">
sforceClient.init("{!API.Session_ID}", "{!API.Partner_Server_URL_100}");
.......
function SearchAccount() {
var loginResult = sforceClient.Login(abc@xyz.be, "psw");
..........
}
.........
</script>
...........
Thank you very much for your help!
François
First, and foremost, this is a major security issue. You should never create code that runs in the user's browser with elevated priviledges, as that may compromise your data or configuration to a knowledgable user. It would be preferable to have the object accessible to the user only via the API and not through reports or other mechanisms, but you MUST understand that if their browser can see the data, that user can see the data. There is no way to prevent this from happening.
Secondly, you're using the Beta toolkit. This isn't supported, and you really should move up to the production toolkit. Be sure to include a script header as follows:
Code: Then, you can login using your credentials, as follows:
Code: Finally, do whatever it is that you need to do.
Please note, again, that this will compromise your account to anyone with basic HTML knowledge. This is an inevitable fact that can not be avoided. If you care about your Salesforce data and configuration, you won't even attempt this. I can't stop you, but I have warned you. Use this only for an account that you don't care about at all, like a Developer Edition account, and only with data that you don't care if your users can see, because they can, and most likely, someone will. The only data secure from users is data that users can't access through any mechanism.
As a final alternative, if you absolutely insist on doing this, create a new profile that has no permissions at all except API-enabled and read-only access to the object/fields that need to be read. Assign this to a dummy user that will be used to facilitate access to the data in question, and use that login and password instead. That will prevent your users from using this elevated access to trash your organization's data (or worse, steal everything and leave the company) five minutes after you walk out the door and they decide to right-click on the page and view the source code.
~ sfdcfox ~
For a custom object, Apex classes run as administer, but you can add security to the class itself. Why not have your s-control call an Apex class, which will not only return data but check the identify and profile of the user? This will protect your solution from exposing login information that could completely compromise the security of your data.
Hope this helps.
~ sfdcfox ~
Message Edited by sfdcfox on 10-22-2007 09:33 AM
Probably the shortest route would be to purchase a Platform license to supplement your EE license. This should give you access to Apex code.
Hope this helps.