Zrjydtj

Was there a Viking Exchange as well as a Columbian one?

Why do games have consumables?

How can I print the prosodic symbols in LaTeX?

Why boldmath fails in a tikz node?

Contradiction proof for inequality of P and NP?

Do I have an "anti-research" personality?

Retract an already submitted recommendation letter (written for an undergrad student)

What happens to Mjolnir (Thor's hammer) at the end of Endgame?

On The Origin of Dissonant Chords

Is there any official lore on the Far Realm?

"Whatever a Russian does, they end up making the Kalashnikov gun"? Are there any similar proverbs in English?

Mistake in years of experience in resume?

How to stop co-workers from teasing me because I know Russian?

What does the integral of a function times a function of a random variable represent, conceptually?

How to limit Drive Letters Windows assigns to new removable USB drives

How to denote matrix elements succinctly?

How do I deal with a coworker that keeps asking to make small superficial changes to a report, and it is seriously triggering my anxiety?

What happens in the secondary winding if there's no spark plug connected?

As an international instructor, should I openly talk about my accent?

Why does Mind Blank stop the Feeblemind spell?

Function pointer with named arguments?

How would 10 generations of living underground change the human body?

What's the polite way to say "I need to urinate"?

Did the BCPL programming language support floats?

Dynamic SOQL query relationship with field visibility for Users

About salesforce SOQL relationship querySOQL Can't create USERS relationship?Need help writing test Apex Classeschema.getglobaldescribe needs test classNot able to escape quote in visualforce page?SOQL error with relationshipSOQL for Lookup relationshipSOQL query with inner query doesn't recognize understand the relationshipHow to Pass in an Array of Strings in a Method Parameter in a Test ClassNested Dynamic SOQL Query

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;

1

I created a dynamic SOQL query method and I am curious about what will happen if the user that triggers the code does not have access to the field. Will the entire org start receiving errors?

public with sharing class QuerySelector 

 public static List<SObject> dynamicQuerySelector(Set<Id> idSet) 

 // check if null

 List<SObject> sObjectList = new List<SObject>();

 if(idSet.size() > 0)
 
 // convert the set to a list
 List<Id> idList = new List<Id>(idSet);


 Schema.DescribeSObjectResult sor = idList[0].getSobjectType().getDescribe();
 String recObject = String.valueOf(sor.getName());

 Set<String> fieldNames = sor.fields.getMap().keySet();

 String recordQuery = 'SELECT ' + String.join(new List<String>(fieldNames),',') + ' FROM ' + recObject + ' WHERE id in :idSet ';

 sObjectList = Database.query(recordQuery);

 return sObjectList;
 
 return sObjectList;
 

apex soql

share|improve this question

asked 1 hour ago

Matthew MetrosMatthew Metros

463

add a comment | 

1

I created a dynamic SOQL query method and I am curious about what will happen if the user that triggers the code does not have access to the field. Will the entire org start receiving errors?

public with sharing class QuerySelector 

 public static List<SObject> dynamicQuerySelector(Set<Id> idSet) 

 // check if null

 List<SObject> sObjectList = new List<SObject>();

 if(idSet.size() > 0)
 
 // convert the set to a list
 List<Id> idList = new List<Id>(idSet);


 Schema.DescribeSObjectResult sor = idList[0].getSobjectType().getDescribe();
 String recObject = String.valueOf(sor.getName());

 Set<String> fieldNames = sor.fields.getMap().keySet();

 String recordQuery = 'SELECT ' + String.join(new List<String>(fieldNames),',') + ' FROM ' + recObject + ' WHERE id in :idSet ';

 sObjectList = Database.query(recordQuery);

 return sObjectList;
 
 return sObjectList;
 

apex soql

share|improve this question

asked 1 hour ago

Matthew MetrosMatthew Metros

463

add a comment | 

I created a dynamic SOQL query method and I am curious about what will happen if the user that triggers the code does not have access to the field. Will the entire org start receiving errors?

public with sharing class QuerySelector 

 public static List<SObject> dynamicQuerySelector(Set<Id> idSet) 

 // check if null

 List<SObject> sObjectList = new List<SObject>();

 if(idSet.size() > 0)
 
 // convert the set to a list
 List<Id> idList = new List<Id>(idSet);


 Schema.DescribeSObjectResult sor = idList[0].getSobjectType().getDescribe();
 String recObject = String.valueOf(sor.getName());

 Set<String> fieldNames = sor.fields.getMap().keySet();

 String recordQuery = 'SELECT ' + String.join(new List<String>(fieldNames),',') + ' FROM ' + recObject + ' WHERE id in :idSet ';

 sObjectList = Database.query(recordQuery);

 return sObjectList;
 
 return sObjectList;
 

apex soql

share|improve this question

asked 1 hour ago

Matthew MetrosMatthew Metros

463

public with sharing class QuerySelector 

 public static List<SObject> dynamicQuerySelector(Set<Id> idSet) 

 // check if null

 List<SObject> sObjectList = new List<SObject>();

 if(idSet.size() > 0)
 
 // convert the set to a list
 List<Id> idList = new List<Id>(idSet);


 Schema.DescribeSObjectResult sor = idList[0].getSobjectType().getDescribe();
 String recObject = String.valueOf(sor.getName());

 Set<String> fieldNames = sor.fields.getMap().keySet();

 String recordQuery = 'SELECT ' + String.join(new List<String>(fieldNames),',') + ' FROM ' + recObject + ' WHERE id in :idSet ';

 sObjectList = Database.query(recordQuery);

 return sObjectList;
 
 return sObjectList;
 

share|improve this question

asked 1 hour ago

Matthew MetrosMatthew Metros

463

share|improve this question

asked 1 hour ago

Matthew MetrosMatthew Metros

463

asked 1 hour ago

Matthew MetrosMatthew Metros

463

asked 1 hour ago

Matthew MetrosMatthew Metros

463

1 Answer
1

active

oldest

votes

5

By default, Apex can query all fields--even if the user can't see those fields. This can produce a situation where data is leaked to the user that they should not see. No errors or exceptions would occur (other than possibly due to too many fields/LOB fields/etc).

There's a new beta feature (WITH SECURITY_ENFORCED) to prevent this data leakage, but the tradeoff is that the query will fail with an exception. For this reason, among others, you should not describe an entire object this way, or at minimum, you should check the field's describe calls to see if they are accessible to the current user.

share|improve this answer

answered 1 hour ago

sfdcfoxsfdcfox

267k13213461

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "459"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsalesforce.stackexchange.com%2fquestions%2f260261%2fdynamic-soql-query-relationship-with-field-visibility-for-users%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

5

By default, Apex can query all fields--even if the user can't see those fields. This can produce a situation where data is leaked to the user that they should not see. No errors or exceptions would occur (other than possibly due to too many fields/LOB fields/etc).

There's a new beta feature (WITH SECURITY_ENFORCED) to prevent this data leakage, but the tradeoff is that the query will fail with an exception. For this reason, among others, you should not describe an entire object this way, or at minimum, you should check the field's describe calls to see if they are accessible to the current user.

share|improve this answer

answered 1 hour ago

sfdcfoxsfdcfox

267k13213461

add a comment | 

5

By default, Apex can query all fields--even if the user can't see those fields. This can produce a situation where data is leaked to the user that they should not see. No errors or exceptions would occur (other than possibly due to too many fields/LOB fields/etc).

There's a new beta feature (WITH SECURITY_ENFORCED) to prevent this data leakage, but the tradeoff is that the query will fail with an exception. For this reason, among others, you should not describe an entire object this way, or at minimum, you should check the field's describe calls to see if they are accessible to the current user.

share|improve this answer

answered 1 hour ago

sfdcfoxsfdcfox

267k13213461

add a comment | 

By default, Apex can query all fields--even if the user can't see those fields. This can produce a situation where data is leaked to the user that they should not see. No errors or exceptions would occur (other than possibly due to too many fields/LOB fields/etc).

There's a new beta feature (WITH SECURITY_ENFORCED) to prevent this data leakage, but the tradeoff is that the query will fail with an exception. For this reason, among others, you should not describe an entire object this way, or at minimum, you should check the field's describe calls to see if they are accessible to the current user.

share|improve this answer

answered 1 hour ago

sfdcfoxsfdcfox

267k13213461

share|improve this answer

answered 1 hour ago

sfdcfoxsfdcfox

267k13213461

answered 1 hour ago

sfdcfoxsfdcfox

267k13213461

answered 1 hour ago

sfdcfoxsfdcfox

267k13213461