Dynamic SOQL query relationship with field visibility for Users
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}
I created a dynamic SOQL query method and I am curious about what will happen if the user that triggers the code does not have access to the field. Will the entire org start receiving errors?
public with sharing class QuerySelector {
public static List<SObject> dynamicQuerySelector(Set<Id> idSet) {
// check if null
List<SObject> sObjectList = new List<SObject>();
if(idSet.size() > 0)
{
// convert the set to a list
List<Id> idList = new List<Id>(idSet);
Schema.DescribeSObjectResult sor = idList[0].getSobjectType().getDescribe();
String recObject = String.valueOf(sor.getName());
Set<String> fieldNames = sor.fields.getMap().keySet();
String recordQuery = 'SELECT ' + String.join(new List<String>(fieldNames),',') + ' FROM ' + recObject + ' WHERE id in :idSet ';
sObjectList = Database.query(recordQuery);
return sObjectList;
}
return sObjectList;
}
}
apex soql
asked 8 hours ago
Matthew MetrosMatthew Metros
514
add a comment |
I created a dynamic SOQL query method and I am curious about what will happen if the user that triggers the code does not have access to the field. Will the entire org start receiving errors?
public with sharing class QuerySelector {
public static List<SObject> dynamicQuerySelector(Set<Id> idSet) {
// check if null
List<SObject> sObjectList = new List<SObject>();
if(idSet.size() > 0)
{
// convert the set to a list
List<Id> idList = new List<Id>(idSet);
Schema.DescribeSObjectResult sor = idList[0].getSobjectType().getDescribe();
String recObject = String.valueOf(sor.getName());
Set<String> fieldNames = sor.fields.getMap().keySet();
String recordQuery = 'SELECT ' + String.join(new List<String>(fieldNames),',') + ' FROM ' + recObject + ' WHERE id in :idSet ';
sObjectList = Database.query(recordQuery);
return sObjectList;
}
return sObjectList;
}
}
apex soql
asked 8 hours ago
Matthew MetrosMatthew Metros
514
add a comment |
I created a dynamic SOQL query method and I am curious about what will happen if the user that triggers the code does not have access to the field. Will the entire org start receiving errors?
public with sharing class QuerySelector {
public static List<SObject> dynamicQuerySelector(Set<Id> idSet) {
// check if null
List<SObject> sObjectList = new List<SObject>();
if(idSet.size() > 0)
{
// convert the set to a list
List<Id> idList = new List<Id>(idSet);
Schema.DescribeSObjectResult sor = idList[0].getSobjectType().getDescribe();
String recObject = String.valueOf(sor.getName());
Set<String> fieldNames = sor.fields.getMap().keySet();
String recordQuery = 'SELECT ' + String.join(new List<String>(fieldNames),',') + ' FROM ' + recObject + ' WHERE id in :idSet ';
sObjectList = Database.query(recordQuery);
return sObjectList;
}
return sObjectList;
}
}
apex soql
asked 8 hours ago
Matthew MetrosMatthew Metros
514
I created a dynamic SOQL query method and I am curious about what will happen if the user that triggers the code does not have access to the field. Will the entire org start receiving errors?
public with sharing class QuerySelector {
public static List<SObject> dynamicQuerySelector(Set<Id> idSet) {
// check if null
List<SObject> sObjectList = new List<SObject>();
if(idSet.size() > 0)
{
// convert the set to a list
List<Id> idList = new List<Id>(idSet);
Schema.DescribeSObjectResult sor = idList[0].getSobjectType().getDescribe();
String recObject = String.valueOf(sor.getName());
Set<String> fieldNames = sor.fields.getMap().keySet();
String recordQuery = 'SELECT ' + String.join(new List<String>(fieldNames),',') + ' FROM ' + recObject + ' WHERE id in :idSet ';
sObjectList = Database.query(recordQuery);
return sObjectList;
}
return sObjectList;
}
}
apex soql
apex soql
asked 8 hours ago
Matthew MetrosMatthew Metros
514
asked 8 hours ago
Matthew MetrosMatthew Metros
514
asked 8 hours ago
Matthew MetrosMatthew Metros
514
asked 8 hours ago
Matthew MetrosMatthew Metros
514
asked 8 hours ago
Matthew MetrosMatthew Metros
514
514
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
By default, Apex can query all fields--even if the user can't see those fields. This can produce a situation where data is leaked to the user that they should not see. No errors or exceptions would occur (other than possibly due to too many fields/LOB fields/etc).
There's a new beta feature (WITH SECURITY_ENFORCED) to prevent this data leakage, but the tradeoff is that the query will fail with an exception. For this reason, among others, you should not describe an entire object this way, or at minimum, you should check the field's describe calls to see if they are accessible to the current user.
answered 8 hours ago
sfdcfoxsfdcfox
267k13213461
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "459"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsalesforce.stackexchange.com%2fquestions%2f260261%2fdynamic-soql-query-relationship-with-field-visibility-for-users%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
By default, Apex can query all fields--even if the user can't see those fields. This can produce a situation where data is leaked to the user that they should not see. No errors or exceptions would occur (other than possibly due to too many fields/LOB fields/etc).
There's a new beta feature (WITH SECURITY_ENFORCED) to prevent this data leakage, but the tradeoff is that the query will fail with an exception. For this reason, among others, you should not describe an entire object this way, or at minimum, you should check the field's describe calls to see if they are accessible to the current user.
answered 8 hours ago
sfdcfoxsfdcfox
267k13213461
add a comment |
By default, Apex can query all fields--even if the user can't see those fields. This can produce a situation where data is leaked to the user that they should not see. No errors or exceptions would occur (other than possibly due to too many fields/LOB fields/etc).
There's a new beta feature (WITH SECURITY_ENFORCED) to prevent this data leakage, but the tradeoff is that the query will fail with an exception. For this reason, among others, you should not describe an entire object this way, or at minimum, you should check the field's describe calls to see if they are accessible to the current user.
answered 8 hours ago
sfdcfoxsfdcfox
267k13213461
add a comment |
By default, Apex can query all fields--even if the user can't see those fields. This can produce a situation where data is leaked to the user that they should not see. No errors or exceptions would occur (other than possibly due to too many fields/LOB fields/etc).
There's a new beta feature (WITH SECURITY_ENFORCED) to prevent this data leakage, but the tradeoff is that the query will fail with an exception. For this reason, among others, you should not describe an entire object this way, or at minimum, you should check the field's describe calls to see if they are accessible to the current user.
answered 8 hours ago
sfdcfoxsfdcfox
267k13213461
By default, Apex can query all fields--even if the user can't see those fields. This can produce a situation where data is leaked to the user that they should not see. No errors or exceptions would occur (other than possibly due to too many fields/LOB fields/etc).
There's a new beta feature (WITH SECURITY_ENFORCED) to prevent this data leakage, but the tradeoff is that the query will fail with an exception. For this reason, among others, you should not describe an entire object this way, or at minimum, you should check the field's describe calls to see if they are accessible to the current user.
answered 8 hours ago
sfdcfoxsfdcfox
267k13213461
answered 8 hours ago
sfdcfoxsfdcfox
267k13213461
answered 8 hours ago
sfdcfoxsfdcfox
267k13213461
answered 8 hours ago
sfdcfoxsfdcfox
267k13213461
267k13213461
add a comment |
add a comment |
Thanks for contributing an answer to Salesforce Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsalesforce.stackexchange.com%2fquestions%2f260261%2fdynamic-soql-query-relationship-with-field-visibility-for-users%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
