Back to LinkedIn posts

LinkedIn post 105

Did you know it is better to write SOQL using WITH USER_MODE instead of WITH SECURI...

Did you know it is better to write SOQL using WITH USER_MODE instead of WITH SECURITY_ENFORCED?

What I like more is that WITH USER_MODE reports all FLS errors while WITH SECURITY_ENFORCED returns only the first error and the resulting QueryException has getInaccessibleFields() to get the full set of access errors.

The equivalent parameter in other contexts:
๐Ÿ‘‰ Database.query( queryString, AccessLevel.USER_MODE )
๐Ÿ‘‰ Database.insert( recordsToInsert, allOrNone, AccessLevel.USER_MODE )
๐Ÿ‘‰ insert as user aRecord

For insert as user, we get the set of fields via DMLException.getDmlFieldNames() and for Database.method(), via SaveResult.getErrors().getFields().

References:
๐Ÿ”— https://lnkd.in/gqJCCQsc
๐Ÿ”— https://lnkd.in/gUj2zH-v

Other thoughts:
๐Ÿง WITH SECURITY_ENFORCED seems to be on its way to being deprecated.
๐Ÿง USER_MODE enforces security on all fields including WHERE/ORDER BY and polymorphic relationships.
๐Ÿง WITH USER_MODE can be applied to DML operations, which saves us from having to add extra logic such as Schema.describe checks or stripInaccessible().
๐Ÿง If you need partial data then you will still use stripInaccessible(). Check out this article ๐Ÿ”— https://lnkd.in/gDB2MJ7T
๐Ÿง Migrating to USER_MODE will not just be search/replace: we will have to handle DML exceptions, queries that just filtered non-accessible fields now will fail, and I have yet to check tools such as PMD, linters or Checkmarx are updated for USER_MODE.

Thanks to Aditya Mohandasan ๐Ÿ™ , who pointed out a new feature: AccessLevel.withPermissionSetId(), which enforces permissions of the specified permission set on top of the running user's permission
๐Ÿ”— https://lnkd.in/gPUmyUDW

Did you know it is better to write SOQL using WITH USER_MODE instead of WITH SECURI...
Did you know it is better to write SOQL using WITH USER_MODE instead of WITH SECURI...