+ Start a Discussion
Rupali PophaliyaRupali Pophaliya 

FLS checking for Dynamic SOQL string

Hi,

In our one of appexchange app, we have exposed REST webservice. Here, user just passes the SOQL string to our expose REST API and in the form of response we are returning records.
As this is a part of appexchange, so its mandatory to do FLS checking, but as per our application scope SOQL string is generating outside Salesforce and user just passes SOQL string to my Salesforce Webservice, so I am wondering how we can do FLS checking for dynamic SOQL string.

Thanks,
Rupali

Daniel BallingerDaniel Ballinger
Can you rework the web service to accept a collection of required fields? You could then build up the required dynamic SOQL and validate the field level security at the same time.

Otherwise you may need to parse out the fields from the SOQL query. That could be difficult depending on the complexity of the query.
Rupali PophaliyaRupali Pophaliya
Hi Daniel,

Thanks for your reply.

Do you mean we have to take fields and object as JSON input and generate query in Salesforce webservice? If yes, then we have handle many things, so are as below:

a) Relation/nested query
b) Where clause condition, it can be inner outer
c) OFFSET and LIMIT part
etc.
For above implementation its require long time, it would be great if you have any reference / blog where I can refer query generation.

Thanks,
Rupali
 
Daniel BallingerDaniel Ballinger
Yes, I'm suggesting taking all the required parts of the SOQL query as part on the JSON input and then manually building the SOQL query yourself. The complexity of this will really depend on how elaborate you want the SOQL queries to be. It some ways it would be a good exercise anyway, as otherwise you would have little or no programatic control of what the SOQL query is doing.

I don't have any explictiy examples of doing this other than fairly trivial. I did find the apex-commons soql-builder (http://apex-commons.github.io/query/soql-builder/).
Arun KumarArun Kumar
Hi Rupali,

yes I am agree with Daniel, as it will be very trick if you want to parse the simple SOQL string from the user. As he can use any field which even will not exist in the ORG.

Better to give him a screen to build a SOQL query there you can show him all the meta data as like in Workbench.

Thanks,
Arun