function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
FdeBergeyckFdeBergeyck 

Login with different user in S-control

Hello,
 
I have a user access problem, and was wondering if someone could help me. Here is my problem:
I want to run an s-control that will be invoked by a standard user, but the s-control needs to get data that is only accessible to an administrator. I tried the following, but it doesn't work:
 

<HTML>

<head>

<script language="JavaScript">

sforceClient.init("{!API.Session_ID}", "{!API.Partner_Server_URL_100}");

.......

function SearchAccount() {

        var loginResult = sforceClient.Login(abc@xyz.be, "psw");

..........

}

.........
</script>
...........
 
 
Thank you very much for your help!
 
François
sfdcfoxsfdcfox
François,

First, and foremost, this is a major security issue. You should never create code that runs in the user's browser with elevated priviledges, as that may compromise your data or configuration to a knowledgable user. It would be preferable to have the object accessible to the user only via the API and not through reports or other mechanisms, but you MUST understand that if their browser can see the data, that user can see the data. There is no way to prevent this from happening.

Secondly, you're using the Beta toolkit. This isn't supported, and you really should move up to the production toolkit. Be sure to include a script header as follows:

Code:
<script src="/soap/ajax/10.0/connection.js"></script>
Then, you can login using your credentials, as follows:

Code:
<script language="JavaScript1.5" type="text/javascript">
sforce.connection.login("admin@mycompany.com","mysecretpassword")
...

</script>
Finally, do whatever it is that you need to do.

Please note, again, that this will compromise your account to anyone with basic HTML knowledge. This is an inevitable fact that can not be avoided. If you care about your Salesforce data and configuration, you won't even attempt this. I can't stop you, but I have warned you. Use this only for an account that you don't care about at all, like a Developer Edition account, and only with data that you don't care if your users can see, because they can, and most likely, someone will. The only data secure from users is data that users can't access through any mechanism.

As a final alternative, if you absolutely insist on doing this, create a new profile that has no permissions at all except API-enabled and read-only access to the object/fields that need to be read. Assign this to a dummy user that will be used to facilitate access to the data in question, and use that login and password instead. That will prevent your users from using this elevated access to trash your organization's data (or worse, steal everything and leave the company) five minutes after you walk out the door and they decide to right-click on the page and view the source code.

~ sfdcfox ~
RickyGRickyG
sfdcfox is absolutely correct to advise extreme caution against implementing this type of solution.  But there might be another way to the answer you are looking for.

For a custom object, Apex classes run as administer, but you can add security to the class itself.  Why not have your s-control call an Apex class, which will not only return data but check the identify and profile of the user?  This will protect your solution from exposing login information that could completely compromise the security of your data.

Hope this helps.
FdeBergeyckFdeBergeyck
Thank you very much for your help! I am aware of the security issue the code generates. I hoped that there was a way to hide the login and password in the code...
 
Rick, I'm using Enterprise Edition, which means I don't have access to Apex code. Is there still a way to use an Apex class?
 
Thank you again,
 
François
sfdcfoxsfdcfox
No, Apex Code isn't available on EE. At the very least, you might consider using something like TEA to encrypt the password, and then use a Javascript obfuscation program to make your code illegible. Sure, this won't stop the sincere hacker, but it will make it impossible for a novice (e.g. a typical sales representative) to decipher your password and make it far less likely you'll have an... occurrence. Still, consider using a restricted user if you have an extra license to avoid the possibility that they'll do more harm than just stealing the data you gave them access to.

~ sfdcfox ~

Message Edited by sfdcfox on 10-22-2007 09:33 AM
RickyGRickyG
Francois -

Probably the shortest route would be to purchase a Platform license to supplement your EE license.  This should give you access to Apex code.

Hope this helps.