Site icon WedgeCommerce

Enforcing FLS and CRUD in Salesforce

Banner

Field-level security in salesforce let you restrict users’ access to view and edit specific fields. The field level security can be judged using the operation create, read, update and delete i.e CRUD.

Apex in salesforce doesn’t respect CRUD & FLS. Its is because most of the processes that a developer has to implement in Apex have to surpass CRUD & FLS.

It is left to the developer the responsibility of managing CRUD & FLS in Apex as per requirements. Depending on how your custom applications render and process data, unauthorized users have the potential to access and modify data that they shouldn’t. So FLS should be enforced when required.

The DescribeSObjectResult class includes a number of helper functions that you can use to verify a user’s level of access and prevent data from being inadvertently exposed or modified.

IsCreateable()

Before you insert a record in the database, you can have a check that the logged-in user has both “Edit” permission on the field and “Create” permission on the object. You can check both permissions by checking if the particular field isCreateable().

if (!Schema.sObjectType.Account.fields.Name.isCreateable()){
    System.debug('Insufficient Permissions');
  }
  Account ac = new Account(Name='Test');
  insert ac;

IsAccessible()

Before you retrieve a field from an object, you want to verify that the logged-in user has permission to access the field by checking if the field isAccessible().

if (!Schema.sObjectType.Opportunity.fields.ExpectedRevenue.isAccessible()){
      System.debug('Insufficient Accessiblity Permissions');
    }
    Opportunity [] myList = [SELECT ExpectedRevenue FROM Opportunity LIMIT 1000];

IsUpdateable()

Before you update a record, you have to check if the logged-in user has “Edit” permission for the field and the object. You can check for both permissions by checking if the particular field isUpdateable().

if (!Schema.sObjectType.Opportunity.fields.StageName.isUpdateable()){
        System.debug('Insufficient Permissions');
      }
      o.StageName=Closed Won;
      update o;

IsDeleteable()

To enforce “delete” access restrictions, use the isDeleteable() function before your code performs a delete database operation.

if (Opportunity.sObjectType.getDescribe().isDeleteable()){
        delete l;
      }

Note- Since you delete records in SOQL and do not delete fields, you need to check only the user’s CRUD access to the object.

Exit mobile version