ENFORCING CRUD-FLS Enforcements in Salesforce
Security Authorizations are essential for every system in the universe. Just like WBC cells in a human body which restricts access to foreign microbes or The Ozone layer in the atmosphere which inhibits the harmful radiations Entering inside, Salesforce have something called CRUD FLS enforcement which prohibits the users to gain access to the records they don’t own. We were developing an app mostly with multiple visualforce pages and controllers. Usually all the standard pages in Salesforce are automatically enforce the CRUD and FLS settings. But when it comes for visualforce pages with Input text and Input text area components with lot of DML statements in their controllers. The system interprets the fields displayed in the visual force pages as the string values but not as the fields from the Sobjects.
The damage done by this new evaluation procedure of Salesforce in our app took a huge toll on its release dates. When we submit the app for security review the app failed to pass due to the insufficient CRUD FLS enforcements checks. All we had his Salesforce’s own knowledge article and we started analyzing each and every classes we had with appropriate manual CRUD FLS checks. When the issue was finally resolved I thought of writing a blog on this which will help my fellow peers. Here is how we did this
In one of the security review findings related to CRUD FLS Enforcements Its given as “No manual CRUD enforcements on a DML event “ and the report document listed the bunch of classes which needed modification.
For example if we instantiate a new record we have to make use of the statements such as Iscreateable(), IsUpdateable(), Isdeletable() appropriately to manually enforce the CRUD access something like this.
Cities__c city = new Cities__c__();
if(Schema.sObjectType.cities__c.fields.state__c.isCreateable()) city.state__c='American Samoa';
if(Schema.sObjectType.cities__c.fields.name.isCreateable()) city.name ='Abeville';
if(Schema.sObjectType.cities__c.isCreateable()) insert city;
But what if you want to implement the FLS settings for multiple fields like the example below, It will take too much time to enforce the conditions
Job_Locations__c location = new Job_Locations__c();
location.Account__c=a.id;
location.City__c=city.id;
location.Company__c='american textile';
location.Description__c='testing';
location.Employer_Wisdom__c='www.gmail.com';
location.Latitude__c=3.5;
location.Longtitude__c=3.5;
location.Location_State__c='American Samoa';
location.Region__c='south';
In this case you can iterate using a forloop and add the fields by adding all the field API names inside a string array and check the access if the object is Creatable, Updateable or deletable refer the below example
Job_Locations__c location = new Job_Locations__c();
String [] Job_LocationsFields = new String [] {'Account__c','City__c','Company__c','Description__c','Employer_Wisdom__c','Latitude__c','Longtitude__c','Location_State__c','Region__c'};
Map<String,Schema.SObjectField> JLMap = Schema.SObjectType.Job_Locations__c.fields.getMap();
Boolean isCreateable= true;
for (String fieldToCheck : Job_LocationsFields ) {
if (JLMap.get(fieldToCheck).getDescribe().isCreateable() == false) {
isCreateable= false; break;
}}
if (isCreateable== true){
location.Account__c=a.id;
location.City__c=city.id;
location.Company__c='american textile';
location.Description__c='testing';
location.Employer_Wisdom__c='www.gmail.com';
location.Latitude__c=3.5;
location.Longtitude__c=3.5;
location.Location_State__c='American Samoa';
location.Region__c='south';
}
if(Schema.sObjectType.Job_Locations__c.isCreateable()){
insert location;
}
else{
ApexPages.addmessage(new ApexPages.message(ApexPages.severity.ERROR,'Insufficient access'));
return null;This might be the easiest possible way to enforce the CRUD permission on DML statements.
External References:
Know more about permission settings and FLS settings in Salesforce
https://developer.salesforce.com/page/Testing_CRUD_and_FLS_Enforcement
Nirmal Christopher
Salesforce.com Technical Consultant Global Tech and Resources Inc..,
Nirmal Christopher
Salesforce.com Technical Consultant Global Tech and Resources Inc..,
1 comment:
Ok, that's definitely not something I could do myself. Luckily, we're outsourcing IT services from Pro4People, who just seamlessly join our team and cooperate perfectly. Now we're about to develop the industrial internet of things solution, so keep your fingers crossed :)
Post a Comment