Not quite sure if this has been asked. In Salesforce, I can see within the object explorer and within the fields and relationships, all entries however if I perform in postman a:
https://eu40.salesforce.com/services/data/v50.0/sobjects/amazonconnect__AC_ContactTraceRecord__c/describe
and copy the results within a test document and look for a particular field I cannot find it. Is there a security setting within the fields from being accessed though a rest api?
Thanks,
the api user does not seem to have enough rights. Add the apiuser as an AC_Administrator and give it a try.
Related
So currently in the project we have a collection of documents that don't require authentication to be read. They are write/update protected, but everyone can read.
What we are trying to prevent is that someone looks at the firebase endpoints and somehow manages to scrape the entire collection in json format (if this is even possible). The data is public, but I want it only to be accessible from our website.
One of the solutions we could think of was SSR (we are already using Next.js), but implementing SSR just for this reason doesn't seem very enticing.
Any suggestions would be appreciated.
EDIT:
Let me rephrase a little bit.
From what you see in the network tab, is it possible to forge/create a request to Firestore and get the entire collection instead of just the 1 document that was intended?
The best solution in your case is SSR. I know, it could sound as not enticing, but well, let's reason on when we should use SSR, then. In your use case, there is an important requirement: security. I think this is already a strong enough reason to justify the usage of SSR.
Also, creating an ad hoc service account for the next.js app, and securing the data with custom rules that allow the read of your data only to that service account, would only improve the overall security level.
Last: reading the data server side should make your site work a little faster, even if it would be difficult to notice, because we are talking about milliseconds. Notice that your page, as it is now, will need to be loaded, before the request to Firebase could be sent. This is adding a small delay. If the data is loaded server side, the delay is not added.
is it possible to forge/create a request to Firestore and get the entire collection instead of just the 1 document that was intended?
If you want to limit what people can request from a collection, you're looking for security rules. The most common model there is some form of ownership-based access control or role-based access control, but both of those require some way of identifying the user. This could be anonymously (so without them entering credentials), but it'd still be a form of auth.
If you don't want to do that, you can still control how much data can be gotten through the API in one go. For example, if you in the security rules allow get but not list, the user can only request a document once they know its ID. Even if you allow list, you can control in rules what queries are allowed.
I think one approach could be writing a Cloud Function that retrieves this public data using the admin SDK. Then, you could set a rule that nobody can read those documents. This means that only your Cloud Function with the admin SDK will have access to those documents.
Finally, you could set up AppCheck for that specific Cloud Function, this way, you ensure that the request is coming from your client app only.
https://firebase.google.com/docs/app-check
I am using MEAN stack.Normally to collect data of a particular user I normally pass ID generated in mongodb database through $location.path in angular controllers, so the url contains the id's of my users .
But I don't know whether this is a secured way of doing things.
So can someone help me out what should be my approach.
`
Considering your last comment, when talking about an administrator reviewing a user's details for instance, yes it is the way to do it, like any resource from your database.
You may have an url like https://mycompany.com/users/{user's id} for instance, just be careful about the access rights.
We have a situation where some of our DocuSign documents do not get signed within the DocuSign system. We have someone that manages these "paper signatures" and then uploads them to DocuSign which connects to Salesforce.
We need to relate these envelopes to either an Opportunity or a Quote to get them to populate fields on these records.
When creatng the envelope, we have the option to "Relate to Salesforce" objects: Leads, Contracts, Opportunities, etc. We tried to use Opportunities and then use the Search to find the Opportunity to attach it to. However, if the Opportunity is in a Closed status (which it is 99% of the time), it will not show up in the search to select.
We could also attach to a Quote, however, there is no option on Salesforce Connect to relate to this object.
Does anyone know a workaround for this that will still allow our person to upload through DS and connect to the appropriate record?
Thanks,
Shannon
It will not unfortunately work with closed ops or quotes.
The only way I can think to do it would be to add a non-required envelope custom field in your account called ##SFOpportunity and when uploading that wet signed doc into DocuSign add the objectID as that envelope custom field (it's how the manage package relates back to proper objects when sending from SFDC).
It's a bit of manual process, but it should work.
I have a specific field that I am trying to find. The salesforce instance I am in has hundreds of tables/objects so I can't look through them manually.
I also only have read only access, so I can't run an APEX script or create objects. I am using an API to access the database, and store the data outside of salesforce.
What I need is to find the object/table that this field is stored in so I can write an SOQL query to get the field's values. Any ideas?
Easiest way is with Workbench.
I'm trying to write an app on the SalesForce platform that can pull a list of contacts from a report and send them to a web service (say to send them an email or SMS)
The only way I can seem to find to do this is to add the report results to a newly created campaign, and then access that campaign. This seems like the long way around.
Every post I read online says you can't access the reports through Apex, however most or all of these posts were written before Version 20 of the API was released last month, which introduced a new report object. I can now programmatically access info about a report (Such as the date last run etc) but I still can't seem to find a way to access the result data contained in that report.
Does anyone know if there's a way to do that?
After much research into it, I've discovered the only way to do this at the moment is indeed to scrape the CSV document. I would guess that Conga etc are using exactly this method.
We've been doing this for a while now, and it works. The only caveats are:
Salesforce username / password /
security token has to be shared to
the app connecting. If the password
changes (and by default it is changed
every 30 days or so) the token also
changes and must be re-entered.
You have to know the host of the account, which can be difficult to
get right. For instance while most european accounts would use emea.salesforce.com to access CSV, our account uses na7 (North America 7) even though we're located in
ireland. I'm currently sending the page host to the app and parsing it
to calculate the correct subdomain to use, but I think there has to be a
better way to do this.
Salesforce really needs to sort this out by supplying an API call which allows custom report results to be exported on the fly and allowing us to use OAuth to connect to it. But of course, this is unlikely to happen.
In the SalesforceSpring 11 update, it seems you can obtain more informations about the Reports:
As stated in the API for Report and ReportType, you can access via Apex the fields used in the query by the Report, reading the field "columns", as well as the field used to represent the filters called "filter".
Iterating through this objects, should allow you to build a String representing the same query of the Report. After building that string you can make a dynamic query with a Database.query(..) call.
It seems to be a little messy, but should work.. (NOT TESTED YET!)
As header states, this works only with Custom Reports!
Just to clarify for fellow rookies who will find this, when the question was asked you could access your report data programatically, but you had to use some hacky, error prone methods.
This is all fixed, you can now access your reports via the API as of Winter '14.
Documentation here - http://www.salesforce.com/us/developer/docs/api_analytics/index.htm
Go to town on those custom dashboards etc. Cross posted from the Salesforce Stack Exchange - https://salesforce.stackexchange.com/questions/337/can-report-data-be-accessed-programatically/
But Conga (appextremes) do this in their QuickMerge product, where the user specifies the report Id, and the apex script on the page runs the report to extract the results for a mail merge operation.
the v20.0 API added metadata about the reports, but no way to actually run the report and obtain the results. If this is a standard report, or a report you've defined, you can work out the equivalent SOQL query for your report and run that, but if its an end user defined report, there's no way to do this.