Otdfbt

Multi tool use

Why are oscilloscope input impedances so low?

Disabling quote conversion in docstrings

Make me a minimum magic sum

no sense/need/point

Is Iron Man stronger than the Hulk?

Sheared off exhasut pipe: How to fix without a welder?

Is 'contemporary' ambiguous and if so is there a better word?

Where are the "shires" in the UK?

Dihedral group D4 composition with custom labels

What happens if I accidentally leave an app running and click "Install Now" in Software Updater?

In "Avengers: Endgame", what does this name refer to?

Which "exotic salt" can lower water's freezing point by –70 °C?

about academic proof-reading, what to do in this situation?

Speed up this NIntegrate

weird pluperfect subjunctive in Eutropius

As black, how should one respond to 4. Qe2 by white in the Russian Game, Damiano Variation?

Dangerous workplace travelling

All of my Firefox add-ons been disabled suddenly, how can I re-enable them?

How to display number in triangular pattern with plus sign

Page count conversion from single to double-space for submissions

How to deal with employer who keeps me at work after working hours

Endgame puzzle: How to avoid stalemate and win?

Can my 2 children, aged 10 and 12, who are US citizens, travel to the USA on expired American passports?

What is a precise issue with allowing getters?

Dynamic SOQL query relationship with field visibility for Users

About salesforce SOQL relationship querySOQL Can't create USERS relationship?Need help writing test Apex Classeschema.getglobaldescribe needs test classNot able to escape quote in visualforce page?SOQL error with relationshipSOQL for Lookup relationshipSOQL query with inner query doesn't recognize understand the relationshipHow to Pass in an Array of Strings in a Method Parameter in a Test ClassNested Dynamic SOQL Query

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;

2

I created a dynamic SOQL query method and I am curious about what will happen if the user that triggers the code does not have access to the field. Will the entire org start receiving errors?

public with sharing class QuerySelector 

 public static List<SObject> dynamicQuerySelector(Set<Id> idSet) 

 // check if null

 List<SObject> sObjectList = new List<SObject>();

 if(idSet.size() > 0)
 
 // convert the set to a list
 List<Id> idList = new List<Id>(idSet);


 Schema.DescribeSObjectResult sor = idList[0].getSobjectType().getDescribe();
 String recObject = String.valueOf(sor.getName());

 Set<String> fieldNames = sor.fields.getMap().keySet();

 String recordQuery = 'SELECT ' + String.join(new List<String>(fieldNames),',') + ' FROM ' + recObject + ' WHERE id in :idSet ';

 sObjectList = Database.query(recordQuery);

 return sObjectList;
 
 return sObjectList;
 

apex soql

share|improve this question

asked Apr 26 at 19:22

Matthew MetrosMatthew Metros

915

add a comment | 

2

I created a dynamic SOQL query method and I am curious about what will happen if the user that triggers the code does not have access to the field. Will the entire org start receiving errors?

public with sharing class QuerySelector 

 public static List<SObject> dynamicQuerySelector(Set<Id> idSet) 

 // check if null

 List<SObject> sObjectList = new List<SObject>();

 if(idSet.size() > 0)
 
 // convert the set to a list
 List<Id> idList = new List<Id>(idSet);


 Schema.DescribeSObjectResult sor = idList[0].getSobjectType().getDescribe();
 String recObject = String.valueOf(sor.getName());

 Set<String> fieldNames = sor.fields.getMap().keySet();

 String recordQuery = 'SELECT ' + String.join(new List<String>(fieldNames),',') + ' FROM ' + recObject + ' WHERE id in :idSet ';

 sObjectList = Database.query(recordQuery);

 return sObjectList;
 
 return sObjectList;
 

apex soql

share|improve this question

asked Apr 26 at 19:22

Matthew MetrosMatthew Metros

915

add a comment | 

I created a dynamic SOQL query method and I am curious about what will happen if the user that triggers the code does not have access to the field. Will the entire org start receiving errors?

public with sharing class QuerySelector 

 public static List<SObject> dynamicQuerySelector(Set<Id> idSet) 

 // check if null

 List<SObject> sObjectList = new List<SObject>();

 if(idSet.size() > 0)
 
 // convert the set to a list
 List<Id> idList = new List<Id>(idSet);


 Schema.DescribeSObjectResult sor = idList[0].getSobjectType().getDescribe();
 String recObject = String.valueOf(sor.getName());

 Set<String> fieldNames = sor.fields.getMap().keySet();

 String recordQuery = 'SELECT ' + String.join(new List<String>(fieldNames),',') + ' FROM ' + recObject + ' WHERE id in :idSet ';

 sObjectList = Database.query(recordQuery);

 return sObjectList;
 
 return sObjectList;
 

apex soql

share|improve this question

asked Apr 26 at 19:22

Matthew MetrosMatthew Metros

915

public with sharing class QuerySelector 

 public static List<SObject> dynamicQuerySelector(Set<Id> idSet) 

 // check if null

 List<SObject> sObjectList = new List<SObject>();

 if(idSet.size() > 0)
 
 // convert the set to a list
 List<Id> idList = new List<Id>(idSet);


 Schema.DescribeSObjectResult sor = idList[0].getSobjectType().getDescribe();
 String recObject = String.valueOf(sor.getName());

 Set<String> fieldNames = sor.fields.getMap().keySet();

 String recordQuery = 'SELECT ' + String.join(new List<String>(fieldNames),',') + ' FROM ' + recObject + ' WHERE id in :idSet ';

 sObjectList = Database.query(recordQuery);

 return sObjectList;
 
 return sObjectList;
 

share|improve this question

asked Apr 26 at 19:22

Matthew MetrosMatthew Metros

915

share|improve this question

asked Apr 26 at 19:22

Matthew MetrosMatthew Metros

915

asked Apr 26 at 19:22

Matthew MetrosMatthew Metros

915

asked Apr 26 at 19:22

Matthew MetrosMatthew Metros

915

1 Answer
1

active

oldest

votes

6

By default, Apex can query all fields--even if the user can't see those fields. This can produce a situation where data is leaked to the user that they should not see. No errors or exceptions would occur (other than possibly due to too many fields/LOB fields/etc).

There's a new beta feature (WITH SECURITY_ENFORCED) to prevent this data leakage, but the tradeoff is that the query will fail with an exception. For this reason, among others, you should not describe an entire object this way, or at minimum, you should check the field's describe calls to see if they are accessible to the current user.

share|improve this answer

answered Apr 26 at 19:29

sfdcfoxsfdcfox

268k13214463

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "459"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsalesforce.stackexchange.com%2fquestions%2f260261%2fdynamic-soql-query-relationship-with-field-visibility-for-users%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

6

By default, Apex can query all fields--even if the user can't see those fields. This can produce a situation where data is leaked to the user that they should not see. No errors or exceptions would occur (other than possibly due to too many fields/LOB fields/etc).

There's a new beta feature (WITH SECURITY_ENFORCED) to prevent this data leakage, but the tradeoff is that the query will fail with an exception. For this reason, among others, you should not describe an entire object this way, or at minimum, you should check the field's describe calls to see if they are accessible to the current user.

share|improve this answer

answered Apr 26 at 19:29

sfdcfoxsfdcfox

268k13214463

add a comment | 

6

By default, Apex can query all fields--even if the user can't see those fields. This can produce a situation where data is leaked to the user that they should not see. No errors or exceptions would occur (other than possibly due to too many fields/LOB fields/etc).

There's a new beta feature (WITH SECURITY_ENFORCED) to prevent this data leakage, but the tradeoff is that the query will fail with an exception. For this reason, among others, you should not describe an entire object this way, or at minimum, you should check the field's describe calls to see if they are accessible to the current user.

share|improve this answer

answered Apr 26 at 19:29

sfdcfoxsfdcfox

268k13214463

add a comment | 

By default, Apex can query all fields--even if the user can't see those fields. This can produce a situation where data is leaked to the user that they should not see. No errors or exceptions would occur (other than possibly due to too many fields/LOB fields/etc).

There's a new beta feature (WITH SECURITY_ENFORCED) to prevent this data leakage, but the tradeoff is that the query will fail with an exception. For this reason, among others, you should not describe an entire object this way, or at minimum, you should check the field's describe calls to see if they are accessible to the current user.

share|improve this answer

answered Apr 26 at 19:29

sfdcfoxsfdcfox

268k13214463

share|improve this answer

answered Apr 26 at 19:29

sfdcfoxsfdcfox

268k13214463

answered Apr 26 at 19:29

sfdcfoxsfdcfox

268k13214463

answered Apr 26 at 19:29

sfdcfoxsfdcfox

268k13214463