[SalesForce] Prevent lightning Community user navigating to standard Salesforce page by hacking URL

I have a situation where community user can edit the URL and access standard Salesforce record page by using the query parameters. I want to control it. This is somewhat related to the discussion on here but my scenario is between Lightning Community and Lightning Experience Salesforce UI. For example my community page URL is => https://communityURL/s/view-activity?c__activityId=a07r00000021c3YAAQ. A smart portal user can easily copy the record Id query param and modify the URL to https://communityURL/s/a07r00000021c3YAAQ. This opens up a standard record page for the user.

In VF/classic we used to assign a Home page layout with a redirect URL vf page to the user so as soon as they access any internal record, they get redirected. Any idea on how to handle this in Lightning?

Best Answer

I would recommend you not to expose salesforce record Id on the community URL directly, which will make your application vulnerable.

Looking at your example I believe view-activity is a custom community page hosting some custom component.

Here are few recommendations that might help-

Use atob and btoa base 64 encoding options and sanitize the url, so that the record ID will not be directly exposed.
On your custom component init() you can put some logic for atob and btoa encoding to retrieve the actual ID back.

for example :

btoa('a07r00000021c3YAAQ'); -> YTA3cjAwMDAwMDIxYzNZQUFR
atob('YTA3cjAwMDAwMDIxYzNZQUFR') -> a07r00000021c3YAAQ

On top of this you can have a client side check as @Jake Richter has already mentioned to his answer.

Related Solutions

[SalesForce] SSO setting while migrating from Partner Portal to communities

No
Yes, you have to change the URL if you're migrating to the community. If this is what you mean by 'impacted', then yes. You should be using an identity provider that does not expose this URL to end users.
Maybe, see below

Internal users can login to the community via the same Assertion Consumer Service (ACS) endpoint @ /login/blah used by community users. You don't need multiple connections on the identity provider side.

With communities it is now much easier to segregate audiences vis-a-vis the baseline org. For example, we have customers where internal users (full Salesforce license) login to the baseline org and external users login to the community. They use two different ACS endpoints on two different identity providers. Or you could have a single identity provider with two connections, one for each user segment. This depends on the sophistication of your identity provider.

[SalesForce] Lightning Community – Landing Page/Home Page

Here is what I did in my developer edition sandbox based on what you provided in the comments and question:

Created a community and selected template as Napili.
When you create community, It creates a site also go to site(Settings->Develop->Sites)
Here add the custom VF page you built(Site Visualforce Pages section).
Active Site Homepage should be "CommunitiesLanding"
Add a URL redirect for the site as something like below(replace 'SimplePage' with your Disclaimer page):
On your disclaimer page, wherever you want to display community login url, use something like this:
```
<apex:outputLink value="/CommunitiesLogin"> Community Login</apex:outputLink>
```

so with all this what will happen is :

User enters url for the site in the browser.
User is shown the SimplePage because we set the URL redirect for the site to this page in the above screenshot.
This page shows a hyperlink and clicking on it will take user to community login page.
Entering credentials will take user to Community home page(Because Active Site Home page is set to "CommunitiesLanding").

Here on step 2, looks like you want to show disclaimer info and other stuff.

Best Answer

Related Solutions

[SalesForce] SSO setting while migrating from Partner Portal to communities

[SalesForce] Lightning Community – Landing Page/Home Page

Related Topic