Force.com ESAPI v0.5 & death of Apex-CRUD-FLS-Validator API

Abhinav Gupta
Written By Abhinav Gupta

“Apex-CRUD-FLS-Validator” was an open-source project I started a few days back on Git Hub. This project aimed to add some handy APIs that were previously missing in Force.com ESAPI v0.4. Those missing APIs on a high level were:

  • The operation to assert() and throw exceptions if CRUD/FLS is violated. We found it better to crash the page for security errors like Salesforce does so that the admin can give the required access. Showing blank values or hiding items was challenging on complex screens.

  • The operation to check if CRUD/FLS is available on a given Sobject/Fields. This information is used later to show/hide a few links, buttons, and sections.

  • Ability to cache the field describe call and reuse it across. This is important, as we are already caching described information as part of other requirements and don’t want to spend more describe calls for security enforcement on the same sobject/fields.

Apex-CRUD-FLS-Validator APIs merged with Force.com ESAPI

To merge these Apex-CRUD-FLS-Validator APIs with Force.com ESAPI, I discussed with Yoel Gluck. Yoel maintains the Google Code project for ESAPI and is “Salesforce's Lead Product Security Engineer”. In our discussions about adding these new APIs to the Force.com ESAPI project, we devised a plan to merge the APIs.

Neal Harris (Associate Product Security Engineer at Salesforce.com) is the man who finally made this API merge happen. He introduced the following new APIs to release v0.5 of Force.com ESAPI.

  • Added new functions “isAuthorizedToView”, “isAuthorizedToCreate”, “isAuthorizedToUpdate”, and “isAuthorizedToDelete”.

  • Added new functions “getViewableFields”, “getUpdateableFields”, and “getCreatableFields” accepting a sObjectType as input.

  • Added a describe info cache. Now all the field describe information is cached.

  • Apart from caching the describe information, we are giving pluggable desc info cache support. This will help those who are already caching desc information in their own apex data structures; those same can be easily reused with ESAPI now, with a small piece of code change.

Apex-CRUD-FLS-Validator is dead now

The Apex-CRUD-FLS-Validator project is no longer on GitHub, and any related documentation on my blog, etc., has also been deleted to avoid any ambiguity.

Coming up next!

Next are a couple of blog posts and wiki page updates about the new APIs, code samples, and tricks for making the most of them.

Lets Talk

Have questions? We’re here to help! Drop a comment below or connect with us through our social media channels. Whether you’re a Salesforce developer, admin, or consultant, we hope this guide helps you unlock the potential of Force.com ESAPI v0.5.

Drop a note with your queries to move forward with the conversation 👇🏻

Abhinav Gupta

First Indian Salesforce MVP, rewarded Eight times in a row, has been blogging about Salesforce, Cloud, AI, & Web3 since 2011. Founded 1st Salesforce Dreamin event in India, called “Jaipur Dev Fest”. A seasoned speaker at Dreamforce, Dreamin events, & local meets. Author of many popular GitHub repos featured in official Salesforce blogs, newsletters, and books.

https://abhinav.fyi
Previous

Yet another Apex Trigger Template !
Next

Rich Visualforce Editor that finally supports Content Assist !