Month: August 2019

Secure your code using Inherited Sharing

As you are commonly using with sharing or without sharing in apex class, but using without sharing is insecure when you are exposing you data outside and you need to mention false positive statement to pass security review of you code for AppExchange.

Designing Apex classes that can run in either with sharing or without sharing mode at runtime is an advanced technique. Such a technique can be difficult to distinguish from one where a specific sharing declaration is accidentally omitted

Now you can specify the Inherited Sharing keyword on an Apex class, which allows the class to run your apex code with or without sharing settings, depending on the class that called it.

An explicit inherited sharing declaration makes the intent clear, avoiding ambiguity arising from an omitted declaration or false positives from security analysis tooling.

Using inherited sharing enables you to pass AppExchange Security Review and ensure that your privileged Apex code is not used in unexpected or insecure ways.

An Apex class with inherited sharing runs as with sharing when used as:

  • An Aura component controller
  • A Visualforce controller
  • An Apex REST service
  • Any other entry point to an Apex transaction

Difference between an Apex class that is marked with inherited sharing and one with an omitted sharing declaration. If the class is used as the entry point to an Apex transaction, an omitted sharing declaration runs as without sharing. However, inherited sharing ensures that the default is to run as with sharing. A class declared as inherited sharing runs as without sharing only when explicitly called from an already established without sharing context.

Example :-

public inherited sharing class InheritedSharingClass{
    public List<Contact> getAllTheSecrets(){
        return [SELECT Name FROM Contact];
    }
}
<apex:page controller="InheritedSharingClass">
    <apex:repeat value="{!allTheSecrets}" var="record">
        {!record.Name}
    </apex:repeat>
</apex:page>

Apex class used here, with inherited sharing and a Visualforce invocation of that Apex code. Because of the inherited sharing declaration, only contacts for which the running user has sharing access are displayed. If the declaration is omitted, even contacts that the user has no rights to view are displayed due to the insecure default behavior.

Advertisements

Understanding Sharing in Apex Class

To enforce sharing rule on an apex class we use key work – with sharing or with out sharing.  And non-sharing-speficied classes – which is sometime really confusing.

By default Apex code run on the System Context, which means In System context apex code can access all Objects and fields – object permission, field-level security(FLS), sharing rules are not applied for the current user.

With Sharing –

with sharing means “With Security Sharing Setting enforced” for the current user for the class.

public with sharing class sharingClass {
// Code here
}

Without sharing

without sharing mean “without security sharing setting enforced” for the current user to the accessing class.

public without sharing class noSharingClass {
// Code here
}

Further Details –

  • The sharing setting of the class where method is defined is applied, not of the class where method is called.
    • For example –  if a method is defined in a class declared with with sharing is called by a class declared with without sharing, the method executes with sharing rules enforced
  • If a class is declared as “with sharing” then, the sharing settings apply to all code contained in the class, including initialization code, constructors and methods. However.
  • Both inner classes and outer classes can be declared as with sharing.
  • Inner Classes DO NOT inherit sharing settings from the container class.
  • Classes inherit this setting from a parent class when one class extends or implements another.
  • If a class is not declared either with sharing or without sharing, then by default, such a class is executed in system mode, i.e. without sharing mode; and current sharing rules remain in effect- which means that if any other class that has sharing enforced, calls such a non-specified-sharing class, then the called or non-specified-sharing class is executed in “with sharing” mode.
  • If class B extends class A, then all code in class B inherits the same sharing settings that class A . However, class B’s inner classes do not inherit class B’s sharing settings.
  • If a class is not declared either with sharing or without sharing, then by default, such a class is executed in system mode, i.e. without sharing mode; and current sharing rules remain in effect- which means that if any other class that has sharing enforced, calls such a non-specified-sharing class, then the called or non-specified-sharing class is executed in “with sharing” mode.
    • But If you run a class that has no sharing in Execute Anonymous, or in Chatter, it is treated as “with sharing.”
  • If a with sharing class calls a without sharing class, then the called method(s) will be executed in the mode of the class in which they were defined, in this case, the called method(s) will execute in without sharing mode.

 

  • public with sharing class A {}
  • public without sharing class B{}
  • public class C{}  // Class C is a non-specified-sharing class > without sharing
  1. class B extends A
    1. class B’s code now executes in class A’s mode, i.e. in “with sharing” mode. As the extended class A mode apply on class B.
  2. class B calls class A
    1. called code will now be executed in the mode of the class in which it was defined, in this case, in class A’s mode, i.e. in “with sharing” mode.
  3. class C calls class A
    1. called method’s code in class A will execute in class A’s mode, i.e. in “with sharing” mode.
  4. class C extends class A
    1. code in class C now executes in the parent class A’s mode, i.e. in “with sharing” mode.
  5. class A calls C
    1.  code in class C is executed in class C’s mode, i.e. in “without sharing” mode although it’s sharing settings are unspecified in the class’ declaration.
    2. Class C has no keyword so the caller class i.e class A decides the behaviour and hence sharing rules apply
  6. class A extends C
    1. class A’s code now executes in the parent class C’s mode, i.e. in “without sharing” mode.
    2. If A is “public with sharing class A extends C”, then it is “with sharing,”

NOTE – We can’t enforce field level security(FLS) or profile permissions with “with sharing,” as this would make code much more difficult to debug because of failures.

If you do not specify “with sharing” or “without sharing” for the inner class, it behaves according to the calling class mode, or “without sharing” if called directly.

Hello World ! LWC

Follow this trialhead module –

https://trailhead.salesforce.com/content/learn/projects/quick-start-lightning-web-components

2. Install CLI (Command Line Interface). Download from this link –

macOS https://sfdc.co/sfdx_cli_osx
Windows 32-bit https://sfdc.co/sfdx_cli_win
Windows 64-bit https://sfdc.co/sfdx_cli_win64

2. To check CLI install proper, go to VS Code terminal > write sfdx enter

You can get the output –

Usage: sfdx COMMAND [command-specific-options]
Help topics, type “sfdx help TOPIC” for more details:
sfdx force # tools for the salesforce developer
sfdx plugins # manage plugins
sfdx update # update sfdx-cli

Create a Salesforce DX Project
  1. In Visual Studio code, open the Command Palette by pressing Ctrl+Shift+P on Windows or Cmd+Shift+P on macOS.
  2. Type SFDX.
  3. Select SFDX: Create Project.
  4. Enter HelloWorldLightningWebComponent as the project name.
  5. Press Enter.
  6. Select a folder to store the project.
  7. Click Create Project. You should see something like this as your base setup.
Create a Lightning Web Component
  1. In Visual Studio code, open the Command Palette by pressing Ctrl+Shift+P on Windows or Cmd+Shift+P on macOS.
  2. Type SFDX.
  3. Select SFDX: Create Lightning Web Component.
  4. Press Enter to accept the default force-app/main/default/lwc.
  5. Enter helloWorld for the name of the new component.
  6. Press Enter.
  7. View the newly created files in Visual Studio Code.
  8. In the HTML file, helloWorld.html, copy and paste the following code.
<template>
<lightning-card title="HelloWorld" icon-name="custom:custom14">
<div class="slds-m-around_medium">
<p>Hello, {greeting}!</p>
<lightning-input label="Name" value={greeting} onchange={changeHandler}></lightning-input>
</div>
</lightning-card>
</template>

9. In the JavaScript file, helloWorld.js, copy and paste the following code.

import { LightningElement, track } from 'lwc';
export default class HelloWorld extends LightningElement {
    @track greeting = 'World';
    changeHandler(event) {
        this.greeting = event.target.value;
    }
}

10. In the XML file helloWorld.js-meta.xml, copy and paste the following code.

<?xml version="1.0" encoding="UTF-8"?>
<LightningComponentBundle xmlns="http://soap.sforce.com/2006/04/metadata" fqn="helloWorld">
  <apiVersion>45.0</apiVersion>
  <isExposed>true</isExposed>
  <targets>
    <target>lightning__AppPage</target>
    <target>lightning__RecordPage</target>
    <target>lightning__HomePage</target>
  </targets>
</LightningComponentBundle>

11. Deploy the code to your org.

With the default folder right-clicked, SFDX: Deploy Source to Org is selected in the options list.

12. Now the new LWC will be available in org. Edit the home page

Capture (2)

If you are deploying will get error –

Error: read ECONNRESET
Run below commands in terminals of VS Code –
set https-proxy https://username:brosalesforce@gmail.com:8080
set proxy https://username:brosalesforce@gmail.com:8080
set sslVerify false
set strict-ssl false