19

I'm reviewing the lightning documents, I don't find any relevant topics for FLS access control, in VF it works based on profile and throw error based on permissions. It seems like lot of code needs to be written to solve this on client side?

pchittum
  • 19,701
  • 5
  • 54
  • 97
realnumber
  • 1,623
  • 14
  • 27

4 Answers4

8

Basically CRUD/FLS, as with all access control, must always be done on the server. Access control can never be done on the client (if data is sent to the client, it is already too late, as the client is under the control of the attacker). It is not possible for an aura component to play an equivalent role to a visualforce inputField component, because client-side filtering is for usability, not security.

CRUD/FLS must be enforced in the Apex Controller via the usual isAccessible(), isCreatable(), isUpdateable() calls. Object permissions are ignored in Apex, which is why you need to use a standard controller or check for object permissions yourself.

Note that there is no analogue of server-side visualforce outputField components that performs permissions checks for you.

This means that you will need to bulk up your server side code with CRUD and FLS checks and always use 'with sharing' in all of your apex classes in order to use lightning components safely. Unfortunately the current tutorials seem to ignore sharing as well as CRUD/FLS, but this does not mean that you can ignore these issues when writing components. I'm sure that additional documentation will be provided but in the meantime you can refer to the existing documentation about enforcing CRUD/FLS calls in Apex controllers. All of that continues to hold for aura-enabled methods.

Robert Sussland
  • 3,234
  • 14
  • 22
  • There is now some initial Security Guidance for Lightning: https://developer.salesforce.com/page/Lightning_Security#Access_Control_in_Apex_Controllers_and_Supporting_Classes -- any feedback would be appreciated and can be sent to securecloud@salesforce.com – Robert Sussland Mar 26 '15 at 01:27
  • This further illustrates the need for this security idea on IdeaExchange. https://success.salesforce.com/ideaView?id=08730000000Lj8GAAS – CoryCowgill Mar 10 '16 at 19:59
3

In the Winter 15 release, there are a bunch of new standard components being added.

The force:outputField and force:inputField are intended to be the Lightning Component analog to Visualforce's apex:input/outputField tags.

Although at this point in time the docs don't explicitly state they will, I would expect these to give you the respect-for-field-level-security that you are looking for.

To use them you will need to be in an org that is on the Winter 15 code base. At the time of writing this answer, that would have to be a pre release org hosted on the gs0 instance. You can read about the new Winter 15 components in your pre-release org by going to: https://gs0.salesforce.com/auradocs

pchittum
  • 19,701
  • 5
  • 54
  • 97
  • 1
    aura:inputField tags cannot play the role of apex:inputField tags because they are rendered on the client, at which point it is too late to do a permissions check. This is a fundamental difference between aura and VF. – Robert Sussland Mar 27 '15 at 19:40
0

I did a tutorial on Lightning components at Dreamforce this year. From what I remember, a Lightning component is made up of sub-parts, including an Apex controller. I believe you would still need to go through the controller to get data from the database, so I believe FLS would still behave the same way it does today.

For more info on Lightning, see the documentation. It sounds like you may already have seen some of this, but if you take a look at the Quick Start guide at the bottom of the page, you'll be able to walk through one of the demos they promoted at DF.

BVH
  • 71
  • 2
  • 4
    If I remember correctly, apex controller only enforces data visibility not the FLS "with sharing" keyword. If a user access a page where they don't have access, in visualforce world they get an error but lightning is client side component so we don't know what access the user have unless we query and find out. we may throw a generic exception but its not same as FLS checking. references https://help.salesforce.com/apex/HTViewSolution?urlname=CRUD-and-FLS-on-VisualForce-Page&language=en_US – realnumber Oct 24 '14 at 19:07
0

The security should be managed using external object permissions similar to other objects which is maybe why you are not seeing documentation.

https://help.salesforce.com/HTViewHelpDoc?id=perm_sets_object_perms_edit.htm&language=en_US

Berkshire
  • 136
  • 3
  • The issue is that the Apex Controller will not respect the object permissions. You need to explicitly check for the perms with isAccessible() in Apex. – Robert Sussland Mar 27 '15 at 19:39