Newer Version Available
Data Access Control
The Lightning Platform makes extensive use of data sharing rules. Each object has permissions and can have sharing settingsthat users can read, create, edit, and delete. These settings are enforced when using all standard controllers.
When using an Apex class, the built-in user permissions and field-level security
restrictions aren’t respected during execution. The default behavior is that an
Apex class has the ability to read and update all data. Because these rules are
not enforced, developers who use Apex must avoid inadvertently exposing
sensitive data that’s normally be hidden from users by user permissions,
field-level security, or defaults, particularly for Visualforce pages. For
example, consider this Apex
pseudo-code.
In this case, all contact records are searched, even if the user currently logged
in would not normally have permission to view these records. The solution is to
use the qualifying keywords with
sharing when declaring the
class:
The with sharing keyword directs the platform to use the security sharing permissions of the user currently logged in, rather than granting full access to all records.