+ Start a Discussion
Holly Havelka 17Holly Havelka 17 

Help with adding FLS AND CRUD to Apex Controller

Hi everyone,

I have created a controller, but now need to add in FLS and CRUD enforcement.  I have checked the documentation, but have not found anything around enforcing FLS and CRUD for returning a public static list.

Can someone help me figure out how to add in the right FLS and CRUD security?

Here is my controller:
public with sharing class AllContactOppsController{
    public static Map<Id, String> recordtypemap {get;set;}
    
    @AuraEnabled    
    public static List<Object> myOpps(String currentRecordId) {
        List<OpportunityContactRole> oppresults = [SELECT Contact.name, Role, OpportunityId, Opportunity.CloseDate, Opportunity.allcontactopps__Record_Url__c, Opportunity.Amount,Opportunity.Name, Opportunity.StageName, Opportunity.Type FROM OpportunityContactRole WHERE contact.accountid=:currentRecordId]; 
        return oppresults;
    }
    
    @AuraEnabled        
    public static List<String> fetchRecordTypeValues(){
        List<Schema.RecordTypeInfo> recordtypes = Opportunity.SObjectType.getDescribe().getRecordTypeInfos();    
        recordtypemap = new Map<Id, String>();
        for(RecordTypeInfo rt : recordtypes){
            if(rt.getName() != 'Master')
            recordtypemap.put(rt.getRecordTypeId(), rt.getName());
        }        
        return recordtypemap.values();
    }
    
    @AuraEnabled
    public static Id getRecTypeId(String recordTypeLabel){
        Id recid = Schema.SObjectType.Opportunity.getRecordTypeInfosByName().get(recordTypeLabel).getRecordTypeId();        
        return recid;
    }   
}
Thanks,
Holly


 
Best Answer chosen by Holly Havelka 17
Krishna.AvvaKrishna.Avva
Hi Holly,

You can check the CRUD Access using UserRecordAccess Object. Documentation here : https://developer.salesforce.com/docs/atlas.en-us.api.meta/api/sforce_api_objects_userrecordaccess.htm?search_text=UserRecordAccess

FLS will be implemented when you use "With Sharing" by default. I am not sure if we can check it programmatically. 

Regards,
Krishna Avva

All Answers

Krishna.AvvaKrishna.Avva
Hi Holly,

You can check the CRUD Access using UserRecordAccess Object. Documentation here : https://developer.salesforce.com/docs/atlas.en-us.api.meta/api/sforce_api_objects_userrecordaccess.htm?search_text=UserRecordAccess

FLS will be implemented when you use "With Sharing" by default. I am not sure if we can check it programmatically. 

Regards,
Krishna Avva
This was selected as the best answer
Holly Havelka 17Holly Havelka 17
Hi Krishna.Avva,
Thanks for the info.  I have it solved, but am wondering if there is a cleaner way to insert enforcement.  Can you look at my code and see if I could do it better or if it looks good?

Thanks,
Holly
public with sharing class AllContactOppsController{
    public static Map<Id, String> recordtypemap {get;set;}
    
    @AuraEnabled    
    public static List<Object> myOpps(String currentRecordId) {
      
        List<OpportunityContactRole> oppresults = [SELECT Contact.name, Role, OpportunityId, Opportunity.CloseDate, Opportunity.allcontactopps__Record_Url__c, Opportunity.Amount,Opportunity.Name, Opportunity.StageName, Opportunity.Type FROM OpportunityContactRole WHERE contact.accountid=:currentRecordId]; 
        if(!OpportunityContactRole.sObjectType.getDescribe().isAccessible()||
           !Contact.sObjectType.getDescribe().isAccessible()||
           !Opportunity.sObjectType.getDescribe().isAccessible()||
           !Schema.sObjectType.Opportunity.fields.allcontactopps__Record_Url__c.isAccessible()||
           !Schema.sObjectType.Contact.fields.Name.isAccessible()||
           !Schema.sObjectType.OpportunityContactRole.fields.Role.isAccessible()||
           !Schema.sObjectType.Opportunity.fields.Id.isAccessible()||
           !Schema.sObjectType.Opportunity.fields.CloseDate.isAccessible()||
           !Schema.sObjectType.Opportunity.fields.Amount.isAccessible()||
           !Schema.sObjectType.Opportunity.fields.Name.isAccessible()||
           !Schema.sObjectType.Opportunity.fields.StageName.isAccessible()||
           !Schema.sObjectType.Opportunity.fields.Type.isAccessible()
          ) {
            return null;
        }
        
        return oppresults;
    }
    
    @AuraEnabled        
    public static List<String> fetchRecordTypeValues(){
        List<Schema.RecordTypeInfo> recordtypes = Opportunity.SObjectType.getDescribe().getRecordTypeInfos();    
        recordtypemap = new Map<Id, String>();
        for(RecordTypeInfo rt : recordtypes){
            if(rt.getName() != 'Master')
            recordtypemap.put(rt.getRecordTypeId(), rt.getName());
        }        
        return recordtypemap.values();
    }
    
    @AuraEnabled
    public static Id getRecTypeId(String recordTypeLabel){
        Id recid = Schema.SObjectType.Opportunity.getRecordTypeInfosByName().get(recordTypeLabel).getRecordTypeId();        
        return recid;
    }   
}