Salesforce Apex and data security: The importance of "with sharing" and "without sharing".

Are you aware of the “without sharing” and “with sharing” keywords in your Apex Class, especially the custom controller for your VisualForce page?

We came across this issue when listing one of our Salesforce packages publicly, so I thought it was worthwhile to share.

 

If you create a “without sharing” controller in Salesforce, e.g:
public without sharing class MyController{
    List<Account> myAccount = [Select Id, Name From Account];
}
this will force Salesforce to return all the requested records without respecting the security sharing permissions of the user currently logged in.
This is very dangerous as the user will be able to view, edit or delete any sensitive records that he/she shouldn’t see via the controller.
To avoid this issue, you should create a “with sharing” controller instead as shown below:
public with sharing class MyController{
    List<Account> myAccount = [Select Id, Name From Account];
}
Want more info? You can refer to this page if you would like to know more: https://www.salesforce.com/us/developer/docs/apexcode/Content/apex_classes_keywords_sharing.htm

Get in touch today to see how WDCi can help your business.