Salesforce Developer Security Sharing

salesforce-developer-security

// Salesforce - Developer - Security - Sharing:

Sharing rules define record level access, rather than object/field access.  
Default level of sharing is configured via Organization-Wide Defaults:
Setup -> Security Controls -> Sharing Settings

1. Private: No access to all records by default
2. Public Read: Read access to all records by default

Sharing is “additive”, therefore “Private” default access is suggested.  The 
following are all methods in which users can gain access to records through 
sharing. All of these methods are additive and are taken into account together.

1. User/Owner
2. Groups
3. Criteria
4. Apex Managed
5. Role Hierarchy
6. Manual record sharing
7. Territory
8. Account/Contact (High Volume Portal User)

Visualforce runs in user context, but custom controllers run in system context. 
What is expected sharing behavior?

public with sharing class MyController {
  // with sharing is applied ...
  public class MyInnerClass {
    // with sharing is not applied to this class
  }
}

1. Apex classes will not enforce sharing permissions by default.
   1. Any record can be queried
   2. “With Sharing”  can be added to respect sharing.

2. Inner methods cannot have sharing defined, inherit from class.

3. Inner classes without any explicit sharing will inherit from the 
   instantiating class (often the outer class but not always).

4. Inner classes can be explicitly marked “Without Sharing” to prevent 
   inheritance.

5. Visualforce enforces sharing with a standard controller.

6. Visualforce does not enforce sharing with a custom controller (relies on controller)
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License