Monday, 21 December 2020

How to sanitize sObjects that have been deserialized from an untrusted source with Security.stripInaccessible

 Hi ,

Let's assume we recieved  a json string with "Name" and "Annual Revenue" to update on Account.

But user doesn't have permisson to update Annual Revenue on Account object. 

Then we can avoid updating Annual Revenue on Account object as shown below.


String jsonInput =

'[' +

'{' +

'"Name": "InGen",' +

'"AnnualRevenue": "100"' +

'},' +

'{' +

'"Name": "Octan"' +

'}' +

']';


List<Account> accounts = (List<Account>)JSON.deserializeStrict(jsonInput, List<Account>.class);

SObjectAccessDecision securityDecision = Security.stripInaccessible(

                                         AccessType.UPDATABLE, accounts);

// Secure update

update securityDecision.getRecords(); // Doesn’t update AnnualRevenue field

System.debug(String.join(securityDecision.getRemovedFields().get('Account'), ', ')); // Prints "AnnualRevenue"

System.debug(String.join(securityDecision.getModifiedIndexes(), ', ')); // Prints "0”



Reference:

https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_classes_with_security_stripInaccessible.htm

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

When to Use Prompt Templates?

 Hi, Understanding when to use Prompt Templates instead of full AI agents helps you design scalable, predictable, and maintainable AI solut...