Monday, May 16, 2016

[Salesforce] The Sobject Crusade: ApexPage

Source: ApexPage

The ApexComponent, as you would expect, is the record for the Visual Force Component.

Note that, even if the describe states that the ApexPage is creatable and updatable, an exception is thrown if you try to insert/update via API a class: use the tooling API or metadata API instead.

Among the fields, you can query for the markup of the component, its Apex controller.

Here an example:

Select Id, Name, ApiVersion, Markup, ControllerKey, ControllerType, isAvailableInTouch, IsConfirmationTokenRequired From ApexPage ORDER BY Name


THe IsConfirmationTokenRequired flag can be updated in the standard UI or in the Developer Console (under Settings button) and is used to allow Secure Cross Site Request Forgery.

What is it?

This is a way to secure your pages when using GET requests, i.e. when you make changes to the Data Model that should not be looped with, e.g., subsequent GET requests.

How does it work?

Salesforce appends a unique token (per user / session), that is a 128 bit (16 chars) string, in the page URL with the _CONFIRMATIONTOKEN parameter: this token can be used only once, and the VisualForce engine automatically handles the parameter validity.

Unfortunately this mechanism is provided only when overriding the delete standard button-

Let's make a try.

Let's create a new Visual Force page (no action indeed):

<apex:page standardController="Case">
 <b>THIS ACTION WILL BE EXECUTED ONCE</b>
</apex:page>

This is a page with a standard controller that actually does nothing, but it is just to prove what we are trying to do.

Click on the Settings button on the developer console to enable the Require CSRF protection on GET requests flag:


If you try to load the page manually, you'll get this wonderful error:


If you append the _CONFIRMATIONTOKEN parameter with a random value, the message changes:


If we find a way to pass the correct token, we'll see the page.

As said, the only way to make Salesforce generate that token, is to override the delete button action.

Go to Setup > Customize > Cases > Buttons, Links and Actions and click Edit next to the Delete action:


Now try to delete a Case:


Salesforce will be releasing in the next future this feature for other actions.

No comments:

Post a Comment