I have a situation where community user can edit the URL and access standard Salesforce record page by using the query parameters. I want to control it. This is somewhat related to the discussion on here but my scenario is between Lightning Community and Lightning Experience Salesforce UI. For example my community page URL is => https://communityURL/s/view-activity?c__activityId=a07r00000021c3YAAQ. A smart portal user can easily copy the record Id query param and modify the URL to https://communityURL/s/a07r00000021c3YAAQ. This opens up a standard record page for the user.
In VF/classic we used to assign a Home page layout with a redirect URL vf page to the user so as soon as they access any internal record, they get redirected. Any idea on how to handle this in Lightning?
Best Answer
I would recommend you not to expose salesforce record Id on the community URL directly, which will make your application vulnerable.
Looking at your example I believe
view-activity
is a custom community page hosting some custom component.Here are few recommendations that might help-
atob
andbtoa
base 64
encoding options and sanitize the url, so that the record ID will not be directly exposed.init()
you can put some logic foratob
andbtoa
encoding to retrieve the actual ID back.for example :