Does with sharing enforce OLS/FLS?
When you use with sharing keyword in an apex class, and try to query an object which doesn't have read permission on the profile, what would happen? Would it still show some results?
The results would depend on the Organization-Wide Default and other record-level sharing configuration for that user. The fact that they do not have read access at the object level is irrelevant because Apex runs in system mode.
It is a surprisingly common misconception that with sharing
enforces FLS and CRUD, which is why you may have seen this claimed elsewhere. It does not. A recent entry on the Salesforce Developer Blog, Learn MOAR in Spring ’20 with Field Level Security in Apex, discusses FLS enforcement tools in depth, and notes
Using the with sharing keywords when declaring a class enforces Sharing Rules, but not object and field-level permissions.
What happens when a user not having the access to some object tries to run select query on that object in query editor?
They won't be able to because Developer Console's Query Editor and Anonymous Apex do not run in System Mode. They will see an error that that object does not exist. This is true of all clients of the Salesforce API (Anonymous Apex is run via the Tooling API): FLS and CRUD are enforced on API clients.
I read that in SOQL, we need to use WITH SECURITY_ENFORCED to enforce FLS. What happens if you don't use this keyword in a class defined as with sharing?
These features have nothing to do with one another. You can use them in any combination. WITH SECURITY_ENFORCED
is one of several ways to enforce FLS. The other new function that does so is Security.stripInaccessible()
, which is preferable in many contexts. The blog post from Salesforce Developers linked above discussed both of these new tools.
If the with sharing keyword enforces profile level permissions, why would you use methods like isUpdateable(), isAccessible() etc?
It doesn't.
I wanted to test these on my own, but any user other than system administrator is not able to see Developer Console option, even when I have API enabled checkbox checked. Does it have something to do with the license?
Developer Console requires View All Data as well as other permissions. See also this previous SFSE question.
When you use with sharing keyword in an apex class, and try to query an object which doesn't have read permission on the profile, what would happen? Would it still show some results?
Yes, it could theoretically show some results. Sharing is always calculated as if the user has access to the object, so if any records could be seen if the user has permission, Apex can read them. This is why the security best practices advises that you always check for field and object level access before attempting a query.
What happens when a user not having the access to some object tries to run select query on that object in query editor?
They'll get an error stating that the object/field does not exist.
I read that in SOQL, we need to use WITH SECURITY_ENFORCED to enforce FLS. What happens if you don't use this keyword in a class defined as with sharing?
The user can view data from fields and objects they can't otherwise see.
If the with sharing keyword enforces profile level permissions, why would you use methods like isUpdateable(), isAccessible() etc?
It doesn't, but those methods should be used in all situations to make sure the user can read/edit/delete from fields/objects, unless using the new SOQL parameter to enforce security and scrubbing records with the related sObject method (apparently still in pilot).
I wanted to test these on my own, but any user other than system administrator is not able to see Developer Console option, even when I have API enabled checkbox checked. Does it have something to do with the license?
You can create a permission set to give a user minimum access required to access the Developer Console. They'll need View All Data and Author Apex permissions.
>