-
Notifications
You must be signed in to change notification settings - Fork 93
soqlDatatable: Security
James Hou edited this page Feb 13, 2021
·
4 revisions
soqlDatatable
uses an @api queryString
to process its data.
Because this data point is coming in from a dev (or admin, for Record Pages / Screen Flows) as a SOQL string, there are built in security considerations:
This class is responsible for creating payloads of lightning-datatable
compatible tableData
and tableRows
.
It uses the following security mechanisms:
- Declared as
inherited sharing
.- For
@AuraEnabled
methods, this is effectivelywith sharing
. - Allows this class to be called by yours to do
without sharing
.
- For
- All queried fields for
tableColumns
are checked withfield.isAccessble()
. - All queried fields for
tableData
are checked withSecurity.stripInaccessible(AccessType.READABLE, queriedRecords)
. - Inline-editable fields for are updated using the
updateRecord
wire adapter which respects FLS.
This component assumes the user knows what they are doing with queryString
, including using single quotes.
This class is responsible for searching lookup records during inline edit.
It uses the following security mechanisms:
- Declared as
with sharing
. - Uses
String.escapeSingleQuotes
on various data points, including the search term.