Prevent CRUD/FLS violation - isAccessible()

-

There are certain security tests which salesforce recommends before allowing an application to be used. These tests include permissions, XXS vulnerabilities, etc. One of these is regarding the accessibility of the fields which are being retrieved in your code.
This code snippet will help you check the accessibility of your fields included in a SOQL query.

IsAccessible()

This function of DescribeSObjectResult class, verifies that the logged-in user has permission to access the field before your code retrieves the field from an object via query.

Code Snippet :
public static Boolean isFieldsAccessible(Map<String, Set<String>> objectFields) {
        Map<String, Schema.SObjectType> schemaMap = Schema.getGlobalDescribe();
        Integer globalFlag = 0;
        for (String objectName : objectFields.keySet()) {
            Integer flag = 0;
            Map<String, Schema.SObjectField> fieldMap = schemaMap.get(objectName).getDescribe().fields.getMap();
            for (String fieldName : objectFields.get(objectName)) {
                for (Schema.SObjectField field : fieldMap.values()) {
                    Schema.DescribeFieldResult fieldDetail = field.getDescribe();
                    if (fieldDetail.getName() == fieldName && fieldDetail.isAccessible()) {
                        flag++;
                        break;
                    }
                }
                if (flag == objectFields.get(objectName).size()) {
                    globalFlag++;
                }
            }
        }
        if (globalFlag == objectFields.size())
        return true;
        return false;
    }

This code can be used for multiple SOQL queries at once.




Add this code to your utility class and use as below :

1. For a single SOQL Query :
List<Profile> pObj=new List<Profile>();
if (myUtility.isFieldsAccessible(new Map<String, Set<String>>
                     {
                       'Profile' => new Set<String> { 'Id', 'Name' }
                     })) 
           {
            pObj= [SELECT Id, Name FROM Profile where Id = :UserInfo.getProfileId()];
}

2. For multiple SOQL queries :
Account accObj;
List<Contact> contactList = new List<Contact>();
if (myUtility.isFieldsAccessible(new Map<String, Set<String>>
                     {
                      'Account' => new Set<String> { 'Id', 'Name' },
                      'Contact' => new Set<String>{'Id','LastName'}
                     })) 
          {
            accObj= [SELECT Id, Name FROM Account where CreatedById = :UserInfo.getUserId()];
            contactList=[SELECT Id, LastName FROM Contact where AccountId=:accObj.Id];
}

3. For relationship fields, Please pass the related objects also as the parameters with their respective fields :
Contact contactObj;
if (myUtility.isFieldsAccessible(new Map<String, Set<String>>
                  {
                    'Contact' => new Set<String>{'Id','LastName'},
                    'User' => new Set<String>{'Name'}
                  })) 
            {
            contactObj=[SELECT Id, LastName,ReportsToId.Name FROM Contact LIMIT 1];
}

This also applies to relationship fields used in WHERE clause.


This method can be extended to check isCreateable(), isUpdateable(), isDeletable() and other DescribeSObjectResult methods as per your requirement. 

Comments

Post a Comment

Popular posts from this blog

SFDX Push Error : An object 'ComponentName' of type LightningComponentBundle was named in package.xml, but was not found in zipped directory

-
Image
 Hello, Nowadays salesforce developers have moved to SFDX and VSCode as their primary IDE. There is one error which has particularly bothered me and my team.  This error occurs when you create a new SFDX project and retrieve all the components, do all the required changes lets say in a lightning web component and try to push the component to salesforce org. This error occurs :  An object 'ComponentName' of type LightningComponentBundle was named in package.xml, but was not found in zipped directory. Solution: Please do check if there is meta.xml file in the component bundle, this error occurs because of missing meta.xml file. For some weird reason, the meta.xml file is not retrieved with the component. If that is the case, then one solution is to create a meta.xml file manually under the component folder with the general XML configuration as below: <? xml  version = "1.0"  encoding = "UTF-8" ?> < LightningComponentBundle   xmlns = "http://soap....
Read more

Salesforce Apex Triggers Interview Questions/Scenarios

-
 Hello, This post is regarding some apex trigger interview questions. These questions are for Novice to Intermediate level developers. I feel these questions/scenarios would be helpful for practice. PS: The questions below are collected from the internet and some of them are which I was asked in the interviews I appeared for. 1.    Create "Sales Rep" field with the datatype (Text) on the Account object. When we create an Account record, the Account's owner name will be automatically added to the sales rep field. When we update the Account owner of the record, then also the Sales Rep will be automatically updated. 2.    Create a field called "Contact Relationship"(checkbox) on the contact object and create the object called "Contact Relationship" which is related to Contacts (Lookup Relationship). Now build a logic when we create contact by checking the Contact Relationship checkbox, a Contact Relationship record will be created automatically for that c...
Read more