Hey there,

We have built a (soon to be) public website using customly styled VF pages integrated with the SF backend.

Visitors to the site can view the custom VF pages as a Customer Community Guest user.  Users can also self register and become Customer Community users where they can follow products, certain users, post ideas, etc.  As a result, these objects must be visible to customer users.

Now the problem is, if a user types in www.thecommunitysite.com/003, for example, they will be able to access the SF CMS and see a complete list of contact names.  Our functionality relies on contacts being visible, yet we don't reveal actual user names in our system - just display names.  This list view being accessible destoys the privacy we need to have in place. 

Mitigations:

• I can use JS to autoredirect users upon arrival.  This is not secure enough alone.
• I can override the list view with a custom VF page that redirects users.  This is fine, except the user will still be able to access the list if they enter www.thecommunitysite.com/003?nooverride=1.
• I can create a blank page layout for the page, so that even if they do select a contact, or enter a full contact ID, they will only be able to see the contact name.

The problem is that this is not enough.  The website deals with factors of a financial nature, and thus, users, locations, and products must remain private.  In the planning stage, we have hired architects and so forth from SF for $300p/h, and been told that all of this would be possible.  We have been been given the green light to build the site from SF, only to find everything they have said is not possible - it's been a disaster.  And now towards the end we have found that creating a secure product could be impossible, and this is a real hurdle.

Surely there must be a way of creating a secure VF Community website where the names of products, customers, and campaigns can be secure.

I appreciate any help you guys can give,

Cheers