Access Control: Unenforced Sharing Rules

The Apex class contains database operations that can be executed without enforcement of the user sharing rules.

Salesforce applications use sharing rules to control user permissions and access to database records. However, user sharing rules are not always enforced in Apex because Apex classes can be declared with different sharing keywords that change the way the rules are enforced. A class can be declared with one of three different sharing keywords:

- with sharing: The user sharing rules will be enforced.
- without sharing: The sharing rules will not be enforced.
- inherited sharing: The sharing rules of the calling class will be enforced. When the calling class does not specify a sharing keyword, or when the class itself is an entrypoint such as a Visualforce controller, the user sharing rules will be enforced by default.

When none of the sharing keywords are declared, the class will inherit the sharing mode of the calling class if there is one. Otherwise, sharing rules will not be enforced.

Example 1: The following three Apex classes all have unsafe sharing keywords for their database query calls.

    public class TestClass1 {
        public List<Contact> getAllTheSecrets() {
            return Database.query('SELECT Name FROM Contact');
        }
    }

    public without sharing class TestClass2 {
        public List<Contact> getAllTheSecrets() {
            return Database.query('SELECT Name FROM Contact');
        }
    }

    public inherited sharing class TestClass3 {
        public List<Contact> getAllTheSecrets() {
            return Database.query('SELECT Name FROM Contact');
        }
    }

Both TestClass1 and TestClass2 are unsafe because the records can be retrieved without the enforcement of user sharing rules.

TestClass3 is safer because it enforces sharing rules by default. However, unauthorized access can still be granted if function getAllTheSecrets() is called in a class that explicitly declares without sharing.