I have a custom Visualforce page that I'm using to replace the standard account page. Works great on SF1 via a custom list view page that links to the custom account page.
However, when users use the SF1 global search and they navigate through to the account page from the results they arrive at the standard out of the box page.
Is there a way to override the global search to ensure users always arrive at my custom VF page?
Related
The question is about the custom visualforce page in Salesforce. The page is created for getting contacts, opportunity, loans all are at a single dynamic link on the account named "Manage portal Access" Which comes under "Customer Portal Access" Tab like details and related list under "Account" Tab.The page was created to Manage the customer account, contacts and opportunities relationship. The page contains Email, Role, Last Login and a Toggle button as "Enabled".When this toggle button is enabled, those users have access to this portal relationship. It has respective apex class also.
The task here is, the toggle button can be enabled/disabled by some users, this want to be changed here by providing Read only access and assign two permission sets for edit access on this portal enable/disable.
" As a user I want Read Only Access to the portal tab. I want to be able to view all information on the tan and click through any dynamic links, but not be able to toggle the portal enable or un-portal enable any contacts. All Salesforce users should have a minimum of read only access to the Customer Portal Access Tab. The two permission below currently and should continue to provide edit access to the customer portal access section.
Create Customer Portal User
Document Manage Portal Admin "
Whether there is any customization option like providing access to objects in Salesforce through (Layouts, Fields FLS, Validation Rule)?
Or
-This can be achieved only through code on Visual force page and it's respective apex class, if this is the case how can I do it, whether there is any certain command or method for providing access or through controller class?
The "normal" object permissions (Create/Read/Update/Delete) and field level security (Read/Update) can be referenced in Visualforce. Something like this might be enough for you:
<apex:commandButton disabled="{!$ObjectType.Contact.fields.Role__c.updateable}">
Check the DescribeFieldResult in Apex reference. There's also something mentioned in VF developer guide but it's bit hidden and not as detailed: https://developer.salesforce.com/docs/atlas.en-us.234.0.pages.meta/pages/pages_variables_global_objecttype.htm
If you need more control than just whether field is editable or not - maybe look into Custom Permissions. They're your own checkboxes you add to Profile/Permission Set and you can check them in pure VF too, no apex required.
So... you decide. If most of the page is supposed to be identical, "just" about the button being enabled/disabled (or maybe even not rendered at all) - it's best to put the condition in the button. If it sounds like you need 2 different layouts - having 2 big blocks of code and one or another rendered might be cleaner to maintain and test.
P.S. Remember that good tester can activate the button using browser's developer tools. You should make similar "is field accessible / is custom permission assigned" check in Apex that runs on button click.
Do you know if it is possible to deep link a custom tab on the left hand navigation?
In my web app I allow the user to login through SSO from Salesforce ( so I use salesforce as authentication provider ), than when the user credentials are ensured i redirect the user to the tab using an aspex url like the following:
https://{domain}/apex/{VisualforceTabsName}?sfdc.tabName={VisualforceTabsRef}
or a servlet integration link like the following:
https://na15.salesforce.com/servlet/servlet.Integration?lid={lid}&ic=1&linkToken={linkToken}
I got those links simply right clicking the tabs and copy the link, now this is not going to work on the new ligthening experience where the link is something like the following;
https://gs0.lightning.force.com/one/one.app?source=aloha#{token}
Now it seems to me that the token in this case is user specific, so it can't be used as high level reference to the Visualforce tab.
Do you know if there is a way to do the same in the Lightening Experience (Spring 16' release)? Or if there is a different way to achieve the same result?
Thanks
In Lightning Experience, you can reference custom tabs using the developer name of the tab (note that this is the API name of the tab containing the Visualforce page, not of the page itself). This URL should work:
{domain}/lightning/n/{tabName}
This assumes that you have already created a tab for your Visualforce page.
When a custom form is created in Wagtail, I can see that it stores in the DB. What I'm not clear on is how to make it so that the admin UI contains the results in some manner. (A new link which lets you download a CSV would be fine, but I don't see how to do that)
How do I allow admin users the ability to see the results of the custom forms? Is this library the only way?
Once you create your first form page (i.e. a page of any page type that subclasses AbstractForm), a 'Forms' item will automatically appear in the left menu of the Wagtail admin. This provides a listing of all the form pages that exist on the site, allowing you to access the results of each one and download them as a CSV.
I want to add new section to the leads to call api request depending on the lead website url
It's something like creating the web-based tab, but I want to ad inside the leads to get data from a website depending on the lead website url
You can have VisualForce pages inline in a page layout, but the height is fixed and I generally don't find it to be an elegant solution, but it may work well in your case depending on what information you're bringing back and whether the length needs to be dynamic.
I'd implement this as a Visualforce page, and then use a formula field on the link to create a link to the page based on the Lead's URL. Users could then click this link to popup a new window with your page and information.
I'm looking for a technique to execute Apex code from a custom button added to the Opportunity object in a way that protects the user against CSRF.
The current approach being used comes from the question - Custom Button or Link to a Visualforce page with a custom controller. Essentially:
There is an Opportunity Custom Button with the Content Source set to "Visualforce Page".
The Content for this button is set to a Visualforce page that uses Opportunity for the standardController, has an extension apex class entered and an action for a method in that class
The action method returns a PageReference to another custom Visualforce page, including adding a parameter with the Opportunity Id.
This second custom Visualforce page does the bulk of the actual work, including making web service callouts and performing DML operations before redirecting the user back to the Opportunity.
The issue with this approach is that the second custom Visualforce page is retrieved via an HTTP GET, pulls parameters from the query string, and performs update/insert DML operations with no CSRF protection. This is being picked up by the Force.com Security Source Code Scanner.
I should add that this apex code is deployed as both a managed and a unmanaged package, hence the extra work to redirect to the target Visualforce Page using a PageReference. This ensures the namespace prefix is added if required.
How can I avoid the CSRF issue?
I don't want to add a form to the second visualforce page with a button that they must press to start the process (and hence picking up the ViewStateCSRF protection in the postback). From the users perspective they have already pressed the button to perform the operation.
I've asked this question before on the developer force forum and didn't come up with a solution - Cross-Site Request Forgery (CSRF/XSRF) safe Custom Button action
Perhaps I should be trying to move the code out of the controller for the second visual force page and using the extension to the stand controller instead?
I could switch to a Javascript callback to an Apex Web Service (as suggested in Call a apex method from a custom button and How invoke APEX method from custom button), but it seems a bit messy and I'm not sure if I'd just be opening up another range of security issues with the web service.
I booked Partner Security Office Hours with Salesforce and discussed this issue directly with them.
What I'm trying to do isn't currently supported if CSRF protection is required (I.e. to publish to the App Exchange). They suggested two alternative approaches:
Create an intermediate form in a Visualforce page that triggers the sensitive Apex Code. Hence picking up the built in CSRF protection.
Override the Opportunity Detail page (using apex:Details to display similar information). This new Visualforce page would include a similar form post back to option 1 to invoke the sensitive APEX code and get automatic CSRF protection.
Another approach that doesn't use custom buttons is to embed/inline a Visualforce page (see Embed a Page on a Standard Layout) containing just the required button within the standard page layout.
The embedded Visualforce page must use the standard object controller (Opportunity in my case) to appear in the list of available Visualforce pages on the standard page layout. The Visualforce page itself can be very minimal with just a commandButton inside a <apex:form>. The label of the Visualforce page can also be displayed in the page layout.
<apex:page id="embeddedPage" StandardController="Opportunity" extensions="OpportunityExtensionController" showHeader="false" standardStylesheets="true">
<apex:form >
<apex:commandButton value="CSRF Safe Button" action="someMethodInTheExtensionClass" />
</apex:form>
public with sharing class OpportunityExtensionController {
private final Opportunity opportunityFromController;
public OpportunityExtensionController(ApexPages.StandardController controller) {
opportunityFromController = (Opportunity)controller.getRecord();
}
public PageReference someMethodInTheExtensionClass() {
// Perform directly here within the postback rather than redirecting to another page to prevent against XSRF
System.debug('opportunityFromController.Id:' + opportunityFromController.Id);
}
}
This should protect against CSRF as the commandButton will pick up the "com.salesforce.visualforce.ViewStateCSRF" hidden input with the post back to the server inside the resulting iframe.
I've raised the Idea Invoking Apex code from the standard Entity Details pages with CSRF protection to see if they can add support for this directly with custom buttons.
Why don't you use a JavaScript button in the first place to launch the second page? Bypass the first page altogether.
Salesforce will apply merging to the script before rendering (so you can use {!Opportunity.Id} to include opp id in the second URL) and you can simply redirect the browser to your second page.