Kingdom: Security Features
Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.
Access Control
Abstract
Executing a SOQL statement without checking user permissions can allow an attacker to modify unauthorized entries.
Explanation
Access control vulnerabilities occur when an attacker can access resources that are restricted to only authorized users.
By default, Visualforce applications automatically enforce Object-level security (CRUD) and Field-level security (FLS) when SObjects and SObject fields are used. However, if objects and fields are referenced as generic data types, these mechanisms are not enforced and access control checks need to be implemented programmatically.
Example 1: In the following code example, fields are updated using custom setter methods, and therefore require authorization checks.
By default, Visualforce applications automatically enforce Object-level security (CRUD) and Field-level security (FLS) when SObjects and SObject fields are used. However, if objects and fields are referenced as generic data types, these mechanisms are not enforced and access control checks need to be implemented programmatically.
Example 1: In the following code example, fields are updated using custom setter methods, and therefore require authorization checks.
<apex:page controller="accessControl">
<apex:pageBlock >
<apex:pageBlockSection >
<apex:outputText value="Survey Name: "/>
<apex:inputText value="{!surveyName}"/>
</apex:pageBlockSection>
<apex:pageBlockSection >
<apex:outputText value="New Name: "/>
<apex:inputText value="{!newSurveyName}"/>
</apex:pageBlockSection>
<apex:pageBlockSection >
<apex:commandButton value="Update" action="{!updateName}"/>
</apex:pageBlockSection>
</apex:pageBlock>
</apex:page>
public String surveyName { get; set; }
public String newSurveyName { get; set; }
public PageReference updateName() {
Survey__c s = [SELECT Name FROM Survey__c WHERE Name=:surveyName];
s.Name = newSurveyName;
update s;
PageReference page = ApexPages.currentPage();
page.setRedirect(true);
return page;
}
References
[1] Salesforce Developers Technical Library Secure Coding Guidelines - Authorization and Access Control
[2] Salesforce Developers Technical Library Testing CRUD and FLS Enforcement
[3] Salesforce Developers Technical Library Enforcing CRUD and FLS
[4] Salesforce Developers Technical Library Visualforce Developers Guide - Standard Controllers
desc.structural.apex.access_control_update