Enforce Security With the stripInaccessible Method. This is again one of the gem of Spring 20. We now have stripInaccessible method available which we can use to check current user’s create, read, update, or upsert access permission. Previously to do this we need to use sObject Describe ObjectResult and FieldResult to check each permission for every field. Now we can use stripInaccessible method to check permission for all fields and object return from query and sub-query. This is a great addition with WITH SECURITY ENFORCED as combine these two can handle most of the secuirt and permission points.
We now check the method format here:
public static System.SObjectAccessDecision stripInaccessible(System.AccessType accessCheckType, List
Uses values from the AccessType enum. This parameter determines the type of field-level access check to be performed. Supported values are CREATABLE, READABLE, UPDATABLE, UPSERTABLE
A list of sObjects to be checked for fields that aren’t accessible in the context of the current user’s operation.
Indicates whether an object-level access check is performed. If this parameter is set to true and the access check fails, the method throws an exception. The default value of this optional parameter is true. This parameter is optional and can be skipped.
Now we will check the code sample:
List<Account> accountList =[SELECT Id, Name, Phone FROM Account]; //Strip fields that are not readable SObjectAccessDecision decisionRead = Security.stripInaccessible( AccessType.READABLE, accountList); //Print secured records System.debug('Secure record access: '+decisionRead.getRecords()); // Print modified indexes System.debug('Records modified by stripInaccessible: '+decisionRead.getModifiedIndexes()); // Print removed fields System.debug('Fields removed by stripInaccessible: '+decisionRead.getRemovedFields()); //Strip fields that are not updatedable SObjectAccessDecision decisionUpdate = Security.stripInaccessible( AccessType.UPDATABLE, accountList); //Print secured records System.debug('Secure record access: '+decisionUpdate.getRecords()); // Print modified indexes System.debug('Records modified by stripInaccessible: '+decisionUpdate.getModifiedIndexes()); // Print removed fields System.debug('Fields removed by stripInaccessible: '+decisionUpdate.getRemovedFields()); //update records without error update decisionUpdate.getRecords();
And this is the output we will get
Here we have stripped the Phone field as we don’t have permission of that. Without this method user will get an exception of no access but now they can easily update the record without any error.
decisionUpdate.getRemovedFields() will return the fields which are removed due to no access.
decisionUpdate.getRecords() will return list<sObject> which we can use to perform DML operation.
Those who worked on App exchange product know, to handle these use cases previously we need to write security util class and need to check permission for each field. If we miss any field or object we got error in security review process. But now we can optimize that process and can do this in very less time and can enforce Security With the stripInaccessible. You can check Security class here.
Do you have any questions or wants to add anything, let me know in comments. Happy Programming 🙂
2 thoughts on “Enforce Security With the stripInaccessible Method”
How to get the fields that are required
You can use describe methods for same.