We had a good security review office hours yesterday and they flagged that we need CRUD/FLS to be correct to pass security review. There are a few places where this shows up in our code. Could everyone take a look and double check that we are correctly enforcing CRUD/FLS?
Where ever we are doing an update or insert it needs to be .accessable, .creatable, .updateable by the running user. Also, have you used the new stripinaccessible and WITH SECURITY_ENFORCED Apex features to ensure your code allows only users with the right permission to see/change/create data?
endlesscurls
commented
4 years ago
We had a good security review office hours yesterday and they flagged that we need CRUD/FLS to be correct to pass security review. There are a few places where this shows up in our code. Could everyone take a look and double check that we are correctly enforcing CRUD/FLS?
Where ever we are doing an update or insert it needs to be .accessable, .creatable, .updateable by the running user. Also, have you used the new stripinaccessible and WITH SECURITY_ENFORCED Apex features to ensure your code allows only users with the right permission to see/change/create data?
More info here: https://developer.salesforce.com/wiki/enforcing_crud_and_fls
@mshanemc @AIrwin33 (@cidarm @snugsfbay for Marci's email component)