Description
Is your feature request related to an issue that you encountered with Salesforce Code Analyzer?
When running the DFA scanner on our code we get "FLS validation is missing" failures due to how we check field permissions. It would be useful to increase what is considered acceptable to cover our use cases.
Describe the solution that you want:
Below is an example with 3 methods that include field permission checks. The first passes the scanner, the other 2 don't. In the first failure it uses the SObject.getSObjectType() method in order to get the describe, instead of using the global describe. In the second failure it use SObject.getPopulatedFieldsAsMap() to get the fields to check, instead of passing them in.
@RemoteAction
public static void testWorks() {
Account acct = new Account(Name = 'test');
if (canInsertFieldsObjectName('Account')) {
doInsert(acct);
}
}
@RemoteAction
public static void testFails1() {
Account acct = new Account(Name = 'test');
if (canInsertFieldsObjectType(acct)) {
doInsert(acct);
}
}
@RemoteAction
public static void testFails2() {
Account acct = new Account(Name = 'test');
if (canInsertPopulatedFields('Account', acct)) {
doInsert(acct);
}
}
public static Boolean canInsertFieldsObjectName(String objectName) {
Map<String, Schema.SObjectField> fields = Schema.getGlobalDescribe().get(objectName).getDescribe().fields.getMap();
Set<String> populatedFields = new Set<String>{ 'Name' };
for (String populatedField : populatedFields) {
DescribeFieldResult fieldDescribe = fields.get(populatedField).getDescribe();
if (!fieldDescribe.isCreateable()) {
return false;
}
}
return true;
}
public static Boolean canInsertFieldsObjectType(SObject obj) {
Map<String, Schema.SObjectField> fields = obj.getSObjectType().getDescribe().fields.getMap();
Set<String> populatedFields = new Set<String>{ 'Name' };
for (String populatedField : populatedFields) {
DescribeFieldResult fieldDescribe = fields.get(populatedField).getDescribe();
if (!fieldDescribe.isCreateable()) {
return false;
}
}
return true;
}
public static Boolean canInsertPopulatedFields(String objectName, SObject obj) {
Map<String, Schema.SObjectField> fields = Schema.getGlobalDescribe().get(objectName).getDescribe().fields.getMap();
Set<String> populatedFields = obj.getPopulatedFieldsAsMap().keySet();
for (String populatedField : populatedFields) {
DescribeFieldResult fieldDescribe = fields.get(populatedField).getDescribe();
if (!fieldDescribe.isCreateable()) {
return false;
}
}
return true;
}
public static void doInsert(SObject obj) {
Database.insert(obj);
}
Workaround:
Currently we need to use the engine directives to ignore our FLS checks for our DML.
Urgency:
Highly Beneficial