Security Bug Fixes #7215
Security Bug Fixes #7215
Conversation
|
@andrewyu-salesforce @callen-sfdo Here is the combined security bug fix PR. |
…DoesNotHaveCreateAndEditPermissions()
| private static Boolean hasFieldReadAccess(Set<String> queryFields) { | ||
| String nameSpacedField; | ||
|
|
||
| for (String queryField:queryFields) { |
There was a problem hiding this comment.
CommitmentId__c is one of the fields being checked for access. I think we should probably remove that field from the access check. What do you think??
There was a problem hiding this comment.
We need access to it, but I think it falls into the category of something that is system-maintained, not something that needs to be accessed by a user.
There was a problem hiding this comment.
CommitmentId definitely falls into the System-maintained side and should not be checked for access.
There was a problem hiding this comment.
On top of CommitmentId, I think we should also remove the following fields from FLS check because those aren't related to Pause functionality and it's probably used for querying/updating the schedules. In the UI we only display Installment Date, Amount, and Payment Method.
- npe03__Recurring_Donation_Campaign__r.Name
- npe03__Installments__c
- npe03__Total_Paid_Installments__c
- npe03__Contact__c
- npe03__Organization__c
What do you think
There was a problem hiding this comment.
That sounds right to me!
| 'Seasonal_End_Day__c', | ||
| 'Geolocation__Latitude__s', | ||
| 'Geolocation__Longitude__s', | ||
| 'Undeliverable__c' |
There was a problem hiding this comment.
Undeliverable__c is relatively new, so I believe we should remove it from the access check.
| @@ -49,6 +49,7 @@ public with sharing class PSC_ManageSoftCredits_CTRL { | |||
| @TestVisible private String currencySymbol; | |||
|
|
|||
| /** @description Set to true if the user has the appropriate permissions to access the page */ | |||
| @TestVisible | |||
There was a problem hiding this comment.
The TestVisible is not needed or the variable should be private
| private static Boolean hasFieldReadAccess(Set<String> queryFields) { | ||
| String nameSpacedField; | ||
|
|
||
| for (String queryField:queryFields) { |
There was a problem hiding this comment.
CommitmentId definitely falls into the System-maintained side and should not be checked for access.
| private static Boolean hasFieldReadAccess(Set<String> queryFields) { | ||
| String nameSpacedField; | ||
|
|
||
| for (String queryField:queryFields) { |
There was a problem hiding this comment.
On top of CommitmentId, I think we should also remove the following fields from FLS check because those aren't related to Pause functionality and it's probably used for querying/updating the schedules. In the UI we only display Installment Date, Amount, and Payment Method.
- npe03__Recurring_Donation_Campaign__r.Name
- npe03__Installments__c
- npe03__Total_Paid_Installments__c
- npe03__Contact__c
- npe03__Organization__c
What do you think
|
@andrewyu-salesforce PR feedback has been handled. |
…ity-bug-fixes__security-bug-fixes-2 Feature/248 security bug fixes security bug fixes 2
Critical Changes
Changes
Issues Closed
Community Ideas Delivered
Features Intended for Future Release
Features for Elevate Customers
New Metadata
Deleted Metadata