function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
rangaranga 

Using ESAPI to enforce object level security

Hi all,

I'm wondering how the ESAPI, SFDCAccessController could be used to enforce object level security. For an example, Is there a way to get a list of accessible objects to a paticular user (According to that users' profile).  

Thanks in advance.

ygluckygluck

The SFDCAccessController module enforces object level security (CRUD) based on the current user when you call insertAsUser, deleteAsUser, etc. It does not provide a mechanism to get a list of objects and their permissions, it also does not provide methods for checking perms for other users.

 

Yoel Gluck

Product Security Team @ Salesforce.com

rangaranga

Thanks Yoel,

Is there any other way which I could fulfill my requirement? .  

rangaranga

I came up with a soution. But I dont think it is the best way to handle it. 

 

public boolean checkVisibility(sObject obj)

{

        SFDCAccessController sdf=new SFDCAccessController() ;

        Schema.SObjectField[] fields=sdf.getViewableFields(obj);

        if(fields.size()!=0)

{

            return true;

        }

        else

          return false;

        }   

}

 

With this method I can check whether  a paticular object could be accessible by an user. 

 

But according to this solution, problem is I can not get a collection of accessible objects. In order to accomplish that I tried following way but a Limit exception occured (Too many Fields inside the loop).

 

public Map<String,sObject> getSobjects()

{

        Map<String, Schema.SObjectType> gd = Schema.getGlobalDescribe();

        Map<String, sObject> sObjects=new Map<String,sObject>();

        Set<String> keys=new Set<String>();

        keys=gd.keySet();

SFDCAccessController sdf=new SFDCAccessController() ;

        for(String key:keys)

{

            sObject sObj = Schema.getGlobalDescribe().get(key).newSObject() ;

            Schema.SObjectField[] fields=sdf.getViewableFields(sObj);  // Here is the problem: Limit Exception Occurs As I                                                                                                                               //try to retrive all the available fields for tha paticular                                                                                                                             //sObject

              if(fields.size>0)

      {

sObjects.put(key,sObj);

      }

      

        }

        return sObjects;

 }

 

Any comments.... :)

ygluckygluck

When a developer is writing a specific app, he is only using a few specific objects. In this case, what the developer would want to do is to verify that the current user has the proper permissions for those objects. IMO it should be enough for the developer to be able to confirm that the current user has the proper permission needed for his application based on the objects and fields used by his application. Do you have a reason this would not be enough in your case?

 

In addition, we are in the process of adding a few functions to the Force.com ESAPI to help investigate the current user permissions to specific objects and fields before calling insertAsUser, updateAsUser, and createAsUser. Currently, we only have the getViewableFields, getCreatableFields, and getUpdateableFields. However, the new methods will allow you to provide and object and the fields you need the user to have specific types of perms for and just confirm he has or does not have those perms.

 

Yoel Gluck

Product Security Team @ Salesforce.com





rangaranga

Thanks Yoel ,

Yes I get your point. Actually what I wanted to do was to disable some links in a visualforce page according to the access privileges of an user.

At the end I found a simple and nice way to handle it. I have posted it in the discussion board.

I used following code snippet. 

render="{!$ObjectType.custome_object__c.accessible}" 

 

Thanks.