CRUD & FLS - Trailhead

Question

I'm passing the Data Leak Prevention module and have faced some misunderstanding here in this unit

Controller:

public with sharing class CRUD_FLS_Challenge {

    public List<Treasures__c> treasures {get;set;}
    public String chestContents {get;set;}

    public CRUD_FLS_Challenge()
    {        
        treasures = new List<Treasures__c>([select Name, Type__c, Found__c, Description__c, Castle__r.Name FROM Treasures__c where Found__c =: True limit 5]);  
    }

VF markup:

<apex:page controller="CRUD_FLS_Challenge" tabStyle="CRUD_FLS_Challenge__tab">
    <apex:pageBlockTable value="{!treasures}" var="p">
                <apex:column headervalue="Name">
                    <apex:OutputText value="{!p.Name}" /> <!-- p.Name is vulnerable NO -->
                </apex:column>
                <apex:column headervalue="Description">
                    <apex:OutputText value="{!p.Description__c}" /> <!-- p.Description__c is vulnerable NO -->
                </apex:column>                                                                               
            </apex:pageBlockTable>

why {!treasures} aren't vulnerable?

Which unit are you in? Can you share the link? Also, are you asking about why it's not a CRUD/FLS issue or some other vulnerability issue? — Brian Miller, Jan 04 '20 at 20:07
link https://trailhead.salesforce.com/content/learn/modules/data-leak-prevention/identify-crud-and-fls-violations-in-visualforce-and-apex — pincet, Jan 04 '20 at 20:15

score 2 · Accepted Answer · answered Jan 04 '20 at 20:26

2

The Visualforce page has built-in measures to respect the CRUD/FLS settings of the logged-in user.

As the trailhead unit describes:

This table displays the object fields using standard object notation--{!p.Name}, {!p.Description__c}, {!p.Found__c}, {!p.Castle__r.Name}--so by default the platform enforces any CRUD and FLS restrictions. This is why, just as we expected, the sensitive fields are not displayed.

answered Jan 04 '20 at 20:26

Brian Miller

5,212
3
31
65

Am I right or not thinking about it this way: page controller runs under system context and if it without sharing - no matter about sharings. But if it with sharing then for example inside controler I can access all fields and when some SQOL results are transmitting to VF (or lightnig component) receiver checks OWD/FLS? Case with some "wrapper" will be insecure? – pincet Jan 05 '20 at 11:34
1

Exactly (at least the way I understand it) - VF pages have built-in security measures for FLS. The with sharing is only telling you what records actually show up to the user, but the SOQL will still get field data even if FLS says they shouldn't see certain fields. See the recent release of WITH SECURITY_ENFORCED to enforce FLS, or using .stripInaccessible() – Brian Miller Jan 05 '20 at 12:58
1

P.S. A very nice a long discussion on with sharing, without sharing, OWDs, etc within the forms here – Brian Miller Jan 05 '20 at 13:01
Thanks a lot. If I understand - client side (VF page) makes a decision what to show (both records and fields) from recordset received from controller? I think there is some "third" entity, cause in MVC view cannot make any decisions about showing data. Isn't it? – pincet Jan 05 '20 at 13:05
1

VF gets the records from the controller (which are based on the sharing settings) and then decides which fields can be shown on a field-by-field basis based on FLS settings for the logged-in user. I think the VF page framework is acting as that "third" entity, and I vaguely remember the term MVVC (with two Vs), implying it doesn't follow a true-to-core MVC model – Brian Miller Jan 05 '20 at 14:14
1

Thanks a lot, really. Your quote "I think the VF page framework is acting as that "third" entity" was the one I expected – pincet Jan 05 '20 at 15:20

CRUD & FLS - Trailhead

1 Answers1