October 11, 2011

Visualforce RelatedList CRUD FLS Security Tip !

Visualforce makes it very easy to create Salesforce look and feel pages. It also helps developers to get most of the Salesforce security guidelines implemented transparently, though developers need to take care of few items on their own. All these items are discussed in great details on DeveloperForce WIKI here. Motive of this post is to highlight a common mistake done by most of the developers from both security and quality point of view.

Code below is a very basic example of a visualforce page, to show some account details with a Contact related list only.

<apex:page standardController="Account">
    <apex:detail relatedList="false"/>
    <apex:relatedList list="Contacts"/>
</apex:page>

This page will work very well with all user’s, whose profiles are having at least read permission on “Contact” standard object. But but but, the same page will crash completely if user’s profile is not having at least READ permission on Contact, like this

Visualforce error on missing related list permission

So, its clear that Salesforce doesn’t transparently hides the related list on missing permissions, thus highly recommended to all Salesforce developers to add a security CRUD/FLS check on related lists too like this

<apex:page standardController="Account">
    <apex:detail relatedList="false"/>
     <!--
          Control rendering of related list by checking the relevant
          child sobject, via $ObjectType.Contact.accessible
     -->
    <apex:relatedList list="Contacts" rendered="{!$ObjectType.Contact.accessible}"/>
</apex:page>

Now, the page will atleast show the record details except the Contacts related list on Account and this is what should happen as per profile permissions.

I hope above fix will make life easy post go-live, no fear of facing a panic customer whose page is messed for a given profile :)

References

 

Want to explore more about Salesforce security ?

These articles will be a good read