Apex Developer Guide

Getting Started
Writing Apex
Ways to Invoke Apex
Invoking Apex
Anonymous Blocks
Triggers
Asynchronous Apex
Web Services
Exposing Apex Methods as SOAP Web Services
Exposing Apex Classes as REST Web Services
Introduction to Apex REST
Apex REST Annotations
Apex REST Methods
Exposing Data with Apex REST Web Service Methods
Apex REST Code Samples
Apex Email Service
Visualforce Classes
Invoking Apex Using JavaScript
Apex Transactions and Governor Limits
Using Salesforce Features with Apex
Integration and Apex Utilities
Finishing Touches
Reference
Appendices
Glossary
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Exposing Data with Apex REST Web Service Methods

Invoking a custom Apex REST Web service method always uses system context. Consequently, the current user's credentials are not used, and any user who has access to these methods can use their full power, regardless of permissions, field-level security, or sharing rules. Developers who expose methods using the Apex REST annotations should therefore take care that they are not inadvertently exposing any sensitive data.

Apex class methods that are exposed through the Apex REST API don't enforce object permissions and field-level security by default. We recommend that you make use of the appropriate object or field describe result methods to check the current user’s access level on the objects and fields that the Apex REST API method is accessing. See DescribeSObjectResult Class and DescribeFieldResult Class.

Also, sharing rules (record-level access) are enforced only when declaring a class with the with sharing keyword. This requirement applies to all Apex classes, including to classes that are exposed through Apex REST API. To enforce sharing rules for Apex REST API methods, declare the class that contains these methods with the with sharing keyword. See Using the with sharing or without sharing Keywords.

Warning