AppExchange Security Review – CRUD Security and FLS (Field Level Security)

I will soon be submitting an application into the Force.com AppExchange Security Review process. In preparation I took a look at articles like Testing CRUD and FLS Enforcement and so realized that I needed to add some extra code to my custom UI code.

The first thing I looked at was this apparently salesforce sponsored project OWASP ESAPI implementation for Force.com. Useful to look at but I got no response to emails or issues so be warned.

In the end I added the minimum code I could think of which blocks the custom UI if any object or field level permissions are turned off as at present I do not have requirements for fine grained control. Given that some of the custom UI manipulates multiple objects at once to accomplish the required business logic, this sails close to the describe call governor limit. So don’t manipulate more than 10 types in a piece of code because you won’t be able to implement the (apparently) required security…

The biggest issue I ran into was in the testing of this code. The unit tests need to check that users running under profiles that allow access are not blocked and that users running under profiles that don’t allow access are blocked. But the bad news is that there appears to be some insidious caching that gets in the way. See my response-less post How to test CRUD Security and FLS despite implicit describe caching?. And its not that the describe caching just spans multiple test methods in a test class but it appears to span all the test classes in a test run too. So right now the “don’t allow access” tests are turned off. Not good.

Advertisements

3 thoughts on “AppExchange Security Review – CRUD Security and FLS (Field Level Security)

  1. This is concerning, but others must have come across this issue before?

    I was wondering, what happens if instead of relying on the field describe methods, what happens if you try to update/insert/delete/whatever? Are exceptions thrown? It’s not an ideal way to do your testing, but it’s better than nothing..

    • Yeah I was expecting some comment along the lines of “abc does not work so you need to do xyz”. But nothing so far.

      It would be interesting to see if the update/insert/delete/whatever works and the insidious caching only applies to the explicit describe calls. But it would be nicer still to have a more trustworthy API.

  2. Hi Wes,

    We’d be happy to help you with this and thanks for logging the issues you came across. We are actively investigating them and working on a solution. Please email securecloud .at. salesforce.com if you would like to correspond with the team directly in the future.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s