Suppose Salesforce org record level access is set to Public Read Only and now business want to restrict few records visible to only those users who have token or key to view that record. As sharing setting is set to Public Read Only, so user can see all the records right?
I have come up with the solution of password protecting account records. I built a visualforce page with standard controller as Account and an apex extension. Its pretty simple to implement but with powerful output. Checkout the video explaining functional and technical flow.
Components
Visualforce Page : Record_Locker
- Two sections are rendered on the basic on “locked” variable
- If the record is locked and not a logged in user, user is asked to provide valid password.
- If the record is not locked, detail page is shown with the help of <apex:detail> tag.
<apex:page standardController="Account" lightningStylesheets="true" extensions="Record_Locker_Extension">
<Apex:outputPanel id="SecureSect">
<Apex:outputPanel rendered="{!locked}">
<apex:form >
<Apex:pageMessages ></Apex:pageMessages>
<apex:pageBlock >
<apex:pageBlockButtons location="bottom">
<apex:commandButton value="Unlock" action="{!unlock}" rerender="SecureSect"/>
</apex:pageBlockButtons>
<apex:pageBlockSection >
<apex:pageBlockSectionItem >
<Apex:outputLabel >Enter Password:</Apex:outputLabel>
<apex:inputSecret value="{!password}"/>
</apex:pageBlockSectionItem>
</apex:pageBlockSection>
</apex:pageBlock>
</apex:form>
</Apex:outputPanel>
<Apex:outputPanel rendered="{!!locked}">
<apex:detail />
</Apex:outputPanel>
</Apex:outputPanel>
</apex:page>
Apex Class : Record_Locker_Extension
- locked variable initialized in controller based on if account is locked and logged in user is not a owner.
- Function unlock checking if the password entered by user is matching with the password set by owner on an account level.
public with sharing class Record_Locker_Extension {
public string password{get;set;}
public boolean locked{get;set;}
public Account Acc;
public Record_Locker_Extension(ApexPages.StandardController controller) {
if(!Test.isRunningTest())
controller.addFields(new list<string>{'Password__c', 'Locked__c', 'OwnerId'});
Acc = (Account)controller.getRecord();
locked = Acc.Locked__c && Acc.OwnerId != UserInfo.getUserId();
}
public void unlock(){
locked = !(Acc.Password__c == Password);
if(locked)
ApexPages.addmessage(new ApexPages.message(ApexPages.severity.ERROR,'Password is not correct!'));
}
}
Action Override : View
- Override View button with the visualforce page created above.
GIT Repository:
https://github.com/SFDCDevs/Password-Protect-Record-Salesforce.git
Why not lightning component?
The reason behind not creating a lightning component for this functionality is, its not secure, code can be easily manipulated from browser and user can gain access to record. I will be creating another video explaining this as well, make sure you subscribe to our YouTube channel SFDCDevelopers!
Leave a Reply