if that profile does not have access to the account object the lookups will be always empty (because that profile cannot read accounts).

Before continue reading, please note that I’m just discovering the sharing rules and all the things with not internal users, so the information can not be accurate or wrong.

I think you have 3 options here: 

• Give read on accounts (and don’t share any account with that user / group so he can use the object, but no data is shared with him (I think a user has automatically shared the account of his/her contact). I don’t know how this will work if you try to put an account that is not shared with the user in the lookup, probably will fail (the record does not exist for that user)


• Use apex. I think apex does not look at the permissions in profiles,(I’m not really sure of this). you can store the data on text fields and with a trigger update the account, or schedule a batch to set the account in all the feedbacks without account

Thanks Pablo. 

I’ve considered the apex option - we would need to add text fields to the Feedback object where we capture the id url parameters, and then when the record is saved we use Apex to populate the lookup fields using those ids - but I’d prefer to stay away from that as it’s harder to maintain as a long-term solution for the client in this case.

And I’d prefer not to give public site users read access to all Accounts on the site - whilst its ‘low risk’ it does technically expose ALL the Account data publicly, which isn’t ideal.

Just a quick update on this - I ended up having to go down the apex trigger path to update these reference fields behind the scenes. There didn’t seem to be a way to do it using the UI as I didn’t want to grant read access accounts on that force.com site. The trigger is working nicely for the site Guest User profile.