Skip to content

Instantly share code, notes, and snippets.

@TheVishnuKumar
Created August 9, 2019 03:50
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save TheVishnuKumar/beb25d7c5cffaeb358409a3bb6d038b0 to your computer and use it in GitHub Desktop.
Cracking Security Review Example Code
public with sharing class AppException extends Exception {}
public with sharing virtual class DAO{
private static boolean isPassSecurity;// = Test.isRunningTest() ? True : null ;
public static Boolean isAccessible(sObject sObj, List < String > fields) {
if( isPassSecurity != null && isPassSecurity ){isPassSecurity = false; return true;}
Schema.DescribeSObjectResult describeResult = sObj.getSObjectType().getDescribe();
if (describeResult.isAccessible() ) {
Map < String, Schema.SObjectField > fieldMap = describeResult.fields.getMap();
for (String fieldToCheck: fields) {
if (!fieldMap.get(fieldToCheck).getDescribe().isAccessible()) {
throw new AppException('Insufficient read access. ( Field: '+fieldToCheck + ' )' );
}
}
return true;
} else {
throw new AppException('Insufficient read access. ( Object: '+sObj.getSObjectType() +' )' );
}
}
public static Boolean isAccessible(String sObjName, List < String > fields) {
if( isPassSecurity != null && isPassSecurity ){isPassSecurity = false; return true;}
Schema.DescribeSObjectResult describeResult = Schema.getGlobalDescribe().get(sObjName).getDescribe();
if (describeResult.isAccessible() ) {
Map < String, Schema.SObjectField > fieldMap = describeResult.fields.getMap();
for (String fieldToCheck: fields) {
if (!fieldMap.get(fieldToCheck).getDescribe().isAccessible()) {
throw new AppException('Insufficient read access. ( Field: '+fieldToCheck + ' )' );
}
}
return true;
} else {
throw new AppException('Insufficient read access. ( Object: '+sObjName+' )' );
}
}
//Call this method before calling any any DML method. This will disobey the security rule for that DML operation.
public static void byPassSecurity(){
isPassSecurity = true;
}
}
public with sharing class DAOUser extends DAO{
private static final sObject SOBJ = new User();
public static list<user> selectAll(){
if( isAccessible(SOBJ, new List<String>{'Name'} ) ){
return [SELECT Name FROM User where isActive= true];
}
return null;
}
public static user selectById(string uid){
if( isAccessible(SOBJ, new List<String>{'Name'} ) ){
return [SELECT Name,TimeZoneSidKey,Email FROM User where id =: uid];
}
return null;
}
public static List<user> selectByIds(Set<String> uids){
if( isAccessible(SOBJ, new List<String>{'Name'} ) ){
return [SELECT Name FROM User where id in: uids];
}
return null;
}
}
public with sharing class DML{
private static boolean isPassSecurity;
/*
Examples:
List<Contact> cons = new List<Contact>();
DML.doInsert(cons,new list<string>{'FirstName','LastName'} );
DML.doUpdate(cons,new list<string>{'FirstName','LastName'} );
DML.doDelete(cons);
*/
//Insert Method for Bulk data
public static void doInsert(list < Sobject > listOfData, list < String > fields) {
if( !listOfData.isEmpty() && isCreateable( listOfData, fields ) ){
insert listOfData;
}
}
//Update Method for Bulk data
public static void doUpdate(list < Sobject > listOfData, list < String > fields) {
if( !listOfData.isEmpty() && isUpdateable( listOfData, fields ) ){
update listOfData;
}
}
//Update Method for Bulk data with Partial Update
public static void doUpdate(list < Sobject > listOfData, list < String > fields, boolean allOrNone) {
if( !listOfData.isEmpty() && isUpdateable( listOfData, fields ) ){
Database.update(listOfData, allOrNone);
}
}
//Delete Method for Bulk data
public static void doDelete(list < Sobject > listOfData) {
if( !listOfData.isEmpty() && isDeletable( listOfData ) ){
delete listOfData;
}
}
/*---------------------------------------------FLS AND CRUD-----------------------------------------------------------*/
public static Boolean isDeletable(List<sObject> sObj) {
if( isPassSecurity != null && isPassSecurity ){isPassSecurity = false; return true;}
for( sObject sOb : sObj ){
Schema.DescribeSObjectResult describeResult = sOb.getSObjectType().getDescribe();
if (describeResult.isDeletable()) {
return true;
} else {
throw new AppException('Insufficient delete access. ( Object: '+sOb.getSObjectType() +' )' );
}
}
return false;
}
public static Boolean isCreateable(List<sObject> sObj, List < String > fields) {
if( isPassSecurity != null && isPassSecurity ){isPassSecurity = false; return true;}
for( sObject sOb : sObj ){
Schema.DescribeSObjectResult describeResult = sOb.getSObjectType().getDescribe();
if (describeResult.isCreateable()) {
Map < String, Schema.SObjectField > fieldMap = describeResult.fields.getMap();
for (String fieldToCheck: fields) {
if (!fieldMap.get(fieldToCheck).getDescribe().isCreateable()) {
throw new AppException('Insufficient create access. ( Field: '+fieldToCheck + ' )' );
}
}
return true;
} else {
throw new AppException('Insufficient create access. ( Object: '+sOb.getSObjectType() +' )' );
}
}
return false;
}
public static Boolean isUpdateable(List<sObject> sObj, List < String > fields) {
if( isPassSecurity != null && isPassSecurity ){ isPassSecurity = false; return true;}
for( sObject sOb : sObj ){
Schema.DescribeSObjectResult describeResult = sOb.getSObjectType().getDescribe();
if (describeResult.isUpdateable()) {
Map < String, Schema.SObjectField > fieldMap = describeResult.fields.getMap();
for (String fieldToCheck: fields) {
if (!fieldMap.get(fieldToCheck).getDescribe().isUpdateable()) {
throw new AppException('Insufficient update access. ( Field: '+fieldToCheck + ' )' );
}
}
return true;
} else {
throw new AppException('Insufficient update access. ( Object: '+sOb.getSObjectType() +' )' );
}
}
return false;
}
//Call this method before calling any any DML method. This will disobey the security rule for that DML operation.
public static void byPassSecurity(){
isPassSecurity = true;
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment