soqlDatatable: Security

soqlDatatable uses an @api queryString to process its data.

Because this data point is coming in from a dev (or admin, for Record Pages / Screen Flows) as a SOQL string, there are built in security considerations:

DataTableService

This class is responsible for creating payloads of lightning-datatable compatible tableData and tableRows.

It uses the following security mechanisms:

Declared as inherited sharing.
- For @AuraEnabled methods, this is effectively with sharing.
- Allows this class to be called by yours to do without sharing.
All queried fields for tableColumns are checked with field.isAccessble().
All queried fields for tableData are checked with Security.stripInaccessible(AccessType.READABLE, queriedRecords).
Inline-editable fields for are updated using the updateRecord wire adapter which respects FLS.

This component assumes the user knows what they are doing with queryString, including using single quotes.

LookupAuraService

This class is responsible for searching lookup records during inline edit.

It uses the following security mechanisms:

Declared as with sharing.
Uses String.escapeSingleQuotes on various data points, including the search term.

Uh oh!

soqlDatatable: Security

DataTableService

LookupAuraService

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally