soqlDatatable: Security

soqlDatatable uses an @api queryString to process its data.

Because this data point is coming in from a dev (or admin, for Record Pages / Screen Flows) as a SOQL string, there are some some built in security considerations:

DataTableService

This class is responsible for creating payloads of lightning-datatable compatible tableData and tableRows.

It uses the following security mechanisms:

Declared as inherited sharing.
- For @AuraEnabled methods, this is effectively with sharing.
- Allows this class to be called by yours to do without sharing.
Single quotes are supported as a feature, however:
- All queried fields to be given a column definition are checked with field.isAccessble() for READ access.
- All queried fields to be returned to the UI as JSON are checked with Security.stripInaccessible(AccessType.READABLE, queriedRecords) for READ access.
Since the queryString property is exposed as an @api this library assumes the user knows what they are doing if they place this on the Lightning App Builder, Screen Flow, or as a child in your own LWCs.

LookupAuraService

This class is responsible for searching lookup records during inline edit.

It uses the following security mechanisms:

Declared as with sharing.
Uses String.escapeSingleQuotes on various data points, including the search term.

soqlDatatable: Security

DataTableService

LookupAuraService

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally