November 17, 2011

Force.com ESAPI v0.5 & death of Apex-CRUD-FLS-Validator API.

“Apex-CRUD-FLS-Validator” was an open source project I started few days back on github. Motive of this project was to add some handy apis that were missing previously in Force.com ESAPI v0.4. Those missing APIs on a high level were

  • operation to assert() and throw exception if CRUD/FLS is violated. We found it better to crash the page for security error like Salesforce does, so that admin can give the required access. Showing blank values or hiding items was a challenge to handle in complex screens.
  • operation to check if CRUD/FLS is available on a given Sobject/Fields. This information is used later to show/hide a few links/buttons/sections.
  • ability to cache the field describe call and reuse it across. This is important, as we are already caching describe information as part of other requirement, and don’t want to spend more describe calls for security enforcement on same sobject/fields.

 

Apex-CRUD-FLS-Validator APIs merged with Force.com ESAPI

To merge these Apex-CRUD-FLS-Validator APIs with Force.com ESAPI, I had a discussion with Yoel Gluck. Yoel maintains the Google Code project for ESAPI and is Lead Product Security Engineer at Salesforce. In our discussions about adding these new APIs to the Force.com ESAPI project we figured out plan to merge the APIs.

Neal Harris(Associate Product Security Engineer at Salesforce.com) is the man who finally made this API merge happen, he introduced following new APIs to release out  v0.5 of Force.com ESAPI.

  • Added new functions isAuthorizedToView, isAuthorizedToCreate, isAuthorizedToUpdate, and isAuthorizedToDelete.
  • Added new functions getViewableFields, getUpdateableFields, and getCreatableFields accepting an sObjectType as input.
  • Added a describe info cache. Now all the field desc information is cached
  • Apart from caching the desc information, we are giving a pluggable desc info cache support. This will help those who are already caching desc information in their own apex data structures, those same can be easily reused with ESAPI now, with small piece of code change.

 

Apex-CRUD-FLS-Validator is dead now

Apex-CRUD-FLS-Validator project is no more on github now, any related documentation on my blog etc is also deleted to avoid any ambiguity.

Coming up next !

Coming up next is a couple of blog posts and wiki page updates about the new APIs, code samples and tricks to make most out of them.