Running Custom Code in Dynamics CRM Portal – Part 2 – Security

In a previous post, I talked about my experience running custom code from the portal. This method allowed a web file to be created and then called asynchronously from JavaScript. This post can be found at the link below, if you have not read it, I recommend reading it to provide context for the remainder of this post.

Running Custom Code in Dynamics CRM Portal

One of the major aspects missing from the last post is security. When the RetrieveMultiple plugin is triggered, it runs in the context of the system user. And, as it is written, the plugin does not have any knowledge of what portal user it was triggered by. This problem can be solved using the steps below.

Providing the current portal user (contact) id to the plugin

The first step is to pass the id of the current portal user to the plugin. This can be achieved by adding a condition to the FetchXml filter like below, along with adding a field to the Portal Actions entity.

Verifying Security on Organization Service Calls

The next step is to ensure that all calls to the OrganizationService have filtering applied. To do this, I created a class implementing the IOrganizationService interface which delegates calls to the organization service provided by the plugin. Then, when a call is made, I query the user’s entity permissions assigned through the associated web roles and then use these to determine what the user should be able to do and/or see.

Keep in mind that the Authenticated User web role is applied to Contacts automatically and will not always be explicitly assigned to the user.