Newer Version Available

This content describes an older version of this product. View Latest

CRUD and Field-Level Security (FLS)

In addition to the Content Security Policy, Lightning Components imposes CRUD and field-level security to ensure component security.

Lightning components don’t automatically enforce CRUD and FLS when you reference objects or retrieve the objects from an Apex controller. This means that the framework continues to display records and fields for which users don’t have CRUD access and FLS visibility. You must manually reinforce CRUD and FLS in your Apex controllers. For example, including the with sharing keyword in an Apex controller ensures that users see only the records they have access to in a Lightning component. Additionally, you must explicitly check for isAccessible(), isCreateable(), isDeletable(), and isUpdateable() prior to performing operations on records or objects.

This example shows the recommended way to perform an operation on the expense object introduced in Create a Standalone Lightning App.

1swfobject.registerObject("clippy.codeblock-0", "9");
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17public with sharing class ExpenseController {
18
19    // ns refers to namespace; leave out ns__ if not needed
20    // This method is vulnerable. 
21    @AuraEnabled
22    public static List<ns__Expense__c> get_UNSAFE_Expenses() {
23        return [SELECT Id, Name, ns__Amount__c, ns__Client__c, ns__Date__c, 
24            ns__Reimbursed__c, CreatedDate FROM ns__Expense__c];
25     } 
26
27    // This method is recommended.
28    @AuraEnabled
29    public static List<ns__Expense__c> getExpenses() {
30        String [] expenseAccessFields = new String [] {'Id',
31                                                       'Name',
32                                                       'ns__Amount__c',
33                                                       'ns__Client__c',
34                                                       'ns__Date__c',
35                                                       'ns__Reimbursed__c',
36                                                       'CreatedDate'
37                                                       };
38
39
40    // Obtain the field name/token map for the Expense object
41    Map<String,Schema.SObjectField> m = Schema.SObjectType.ns__Expense__c.fields.getMap();
42
43    for (String fieldToCheck&nbsp;: expenseAccessFields) {
44
45        // Check if the user has access to view field
46        if (!m.get(fieldToCheck).getDescribe().isAccessible()) {
47
48            // Pass error to client
49            throw new System.NoAccessException()
50
51           // Suppress editor logs
52           return null;
53        }
54    }
55 
56    // Query the object safely
57    return [SELECT Id, Name, ns__Amount__c, ns__Client__c, ns__Date__c, 
58            ns__Reimbursed__c, CreatedDate FROM ns__Expense__c];       
59    } 
60}
61

For more information, see the articles on Enforcing CRUD and FLS and Lightning Security.

Note