Apex PMD: Problem: Validate CRUD permission before SOQL/DML operation

Clash Royale CLAN TAG#URR8PPP

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;

up vote
2
down vote

favorite

Background

I am using the Apex PMD plugin for VS Code and it's giving me this problem:

Validate CRUD permission before SOQL/DML operation

For this line of code:

insert contentVersion;

Which is part of this method:

private void attachReport(Id recordId) 

 ContentVersion contentVersion = new ContentVersion(
 versionData = Blob.valueOf(buffer.toStr()),
 title = 'Import Report',
 pathOnClient = StringUtils.format('/Import-Report-0.txt', DateTime.now().getTime()),
 FirstPublishLocationId = recordId);

 insert contentVersion;

Questions

1. Why am I getting the problem?


2. What should I do to not get the problem?

---

Reference

1. Github: VS Code Apex PMD


2. PMD Project

apex visualstudiocode pmd static-code-analysis

share|improve this question

edited 5 hours ago

asked 5 hours ago

Robs

1,196323

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  prior to that line of code are you checking that the running user has permission to create that type of record? (i.e. Schema.sObjectType.Contact.isCreatable())
  – Mark Pond
  5 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  @MarkPond I've added additional code. As you can now see, I am not running that line of code. Should I always be doing this?
  – Robs
  5 hours ago
  

  
  
  
  

add a comment | 

up vote
2
down vote

favorite

Background

I am using the Apex PMD plugin for VS Code and it's giving me this problem:

Validate CRUD permission before SOQL/DML operation

For this line of code:

insert contentVersion;

Which is part of this method:

private void attachReport(Id recordId) 

 ContentVersion contentVersion = new ContentVersion(
 versionData = Blob.valueOf(buffer.toStr()),
 title = 'Import Report',
 pathOnClient = StringUtils.format('/Import-Report-0.txt', DateTime.now().getTime()),
 FirstPublishLocationId = recordId);

 insert contentVersion;

Questions

1. Why am I getting the problem?


2. What should I do to not get the problem?

---

Reference

1. Github: VS Code Apex PMD


2. PMD Project

apex visualstudiocode pmd static-code-analysis

share|improve this question

edited 5 hours ago

asked 5 hours ago

Robs

1,196323

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  prior to that line of code are you checking that the running user has permission to create that type of record? (i.e. Schema.sObjectType.Contact.isCreatable())
  – Mark Pond
  5 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  @MarkPond I've added additional code. As you can now see, I am not running that line of code. Should I always be doing this?
  – Robs
  5 hours ago
  

  
  
  
  

add a comment | 

up vote
2
down vote

favorite

up vote
2
down vote

favorite

Background

I am using the Apex PMD plugin for VS Code and it's giving me this problem:

Validate CRUD permission before SOQL/DML operation

For this line of code:

insert contentVersion;

Which is part of this method:

private void attachReport(Id recordId) 

 ContentVersion contentVersion = new ContentVersion(
 versionData = Blob.valueOf(buffer.toStr()),
 title = 'Import Report',
 pathOnClient = StringUtils.format('/Import-Report-0.txt', DateTime.now().getTime()),
 FirstPublishLocationId = recordId);

 insert contentVersion;

Questions

1. Why am I getting the problem?


2. What should I do to not get the problem?

---

Reference

1. Github: VS Code Apex PMD


2. PMD Project

apex visualstudiocode pmd static-code-analysis

share|improve this question

edited 5 hours ago

asked 5 hours ago

Robs

1,196323

Background

I am using the Apex PMD plugin for VS Code and it's giving me this problem:

Validate CRUD permission before SOQL/DML operation

For this line of code:

insert contentVersion;

Which is part of this method:

private void attachReport(Id recordId) 

 ContentVersion contentVersion = new ContentVersion(
 versionData = Blob.valueOf(buffer.toStr()),
 title = 'Import Report',
 pathOnClient = StringUtils.format('/Import-Report-0.txt', DateTime.now().getTime()),
 FirstPublishLocationId = recordId);

 insert contentVersion;

Questions

1. Why am I getting the problem?


2. What should I do to not get the problem?

---

Reference

1. Github: VS Code Apex PMD


2. PMD Project

apex visualstudiocode pmd static-code-analysis

apex visualstudiocode pmd static-code-analysis

share|improve this question

edited 5 hours ago

asked 5 hours ago

Robs

1,196323

share|improve this question

edited 5 hours ago

asked 5 hours ago

Robs

1,196323

share|improve this question

share|improve this question

edited 5 hours ago

edited 5 hours ago

edited 5 hours ago

asked 5 hours ago

Robs

1,196323

asked 5 hours ago

Robs

1,196323

asked 5 hours ago

Robs

1,196323

1,196323

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  prior to that line of code are you checking that the running user has permission to create that type of record? (i.e. Schema.sObjectType.Contact.isCreatable())
  – Mark Pond
  5 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  @MarkPond I've added additional code. As you can now see, I am not running that line of code. Should I always be doing this?
  – Robs
  5 hours ago
  

  
  
  
  

add a comment | 

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  prior to that line of code are you checking that the running user has permission to create that type of record? (i.e. Schema.sObjectType.Contact.isCreatable())
  – Mark Pond
  5 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  @MarkPond I've added additional code. As you can now see, I am not running that line of code. Should I always be doing this?
  – Robs
  5 hours ago
  

  
  
  
  

1

1

prior to that line of code are you checking that the running user has permission to create that type of record? (i.e. Schema.sObjectType.Contact.isCreatable())
– Mark Pond
5 hours ago

prior to that line of code are you checking that the running user has permission to create that type of record? (i.e. Schema.sObjectType.Contact.isCreatable())
– Mark Pond
5 hours ago

@MarkPond I've added additional code. As you can now see, I am not running that line of code. Should I always be doing this?
– Robs
5 hours ago

@MarkPond I've added additional code. As you can now see, I am not running that line of code. Should I always be doing this?
– Robs
5 hours ago

add a comment | 

1 Answer
1

active

oldest

votes

up vote
3
down vote

PMD's Apex ruleset is checking to see that you are enforcing/respecting security in your code.

ISV's Managed packages released to the AppExchange must do this as mandatory criteria in the security review process. The spirit of the requirement is to honor the access control configuration choices that org admins make within ISV application offerings. If an admin explicitly restricts access control for sharing/CRUD/FLS then ISV offerings should respect that.

Theoretically, you should be able to remove this rule from the VS Code PMD ruleset (or build a custom ruleset xml which doesn't include it), if you don't want to be warned about a concern that may not apply to your application's situation.

Looks like the VS Code PMD plugin allows for a custom ruleset. You could take this one here and customize it, removing the rules which are not important to you such as this one:

<rule ref="category/apex/security.xml/ApexCRUDViolation" 
 message="Validate CRUD permission before SOQL/DML operation">

https://github.com/pmd/pmd/blob/master/pmd-apex/src/main/resources/rulesets/apex/ruleset.xml

Related:

https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_classes_perms_enforcing.htm

https://developer.salesforce.com/docs/atlas.en-us.secure_coding_guide.meta/secure_coding_guide/secure_coding_authorization_access_control.htm

https://trailhead.salesforce.com/en/modules/data-leak-prevention/units/prevent-crud-and-fls-violations

share|improve this answer

edited 4 hours ago

answered 4 hours ago

Mark Pond

17.8k13083

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "459"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsalesforce.stackexchange.com%2fquestions%2f233319%2fapex-pmd-problem-validate-crud-permission-before-soql-dml-operation%23new-answer', 'question_page');

);

Post as a guest

Name Email

1 Answer
1

active

oldest

votes

1 Answer
1

active

oldest

votes

active

oldest

votes

active

oldest

votes

up vote
3
down vote

PMD's Apex ruleset is checking to see that you are enforcing/respecting security in your code.

ISV's Managed packages released to the AppExchange must do this as mandatory criteria in the security review process. The spirit of the requirement is to honor the access control configuration choices that org admins make within ISV application offerings. If an admin explicitly restricts access control for sharing/CRUD/FLS then ISV offerings should respect that.

Theoretically, you should be able to remove this rule from the VS Code PMD ruleset (or build a custom ruleset xml which doesn't include it), if you don't want to be warned about a concern that may not apply to your application's situation.

Looks like the VS Code PMD plugin allows for a custom ruleset. You could take this one here and customize it, removing the rules which are not important to you such as this one:

<rule ref="category/apex/security.xml/ApexCRUDViolation" 
 message="Validate CRUD permission before SOQL/DML operation">

https://github.com/pmd/pmd/blob/master/pmd-apex/src/main/resources/rulesets/apex/ruleset.xml

Related:

https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_classes_perms_enforcing.htm

https://developer.salesforce.com/docs/atlas.en-us.secure_coding_guide.meta/secure_coding_guide/secure_coding_authorization_access_control.htm

https://trailhead.salesforce.com/en/modules/data-leak-prevention/units/prevent-crud-and-fls-violations

share|improve this answer

edited 4 hours ago

answered 4 hours ago

Mark Pond

17.8k13083

add a comment | 

up vote
3
down vote

PMD's Apex ruleset is checking to see that you are enforcing/respecting security in your code.

ISV's Managed packages released to the AppExchange must do this as mandatory criteria in the security review process. The spirit of the requirement is to honor the access control configuration choices that org admins make within ISV application offerings. If an admin explicitly restricts access control for sharing/CRUD/FLS then ISV offerings should respect that.

Theoretically, you should be able to remove this rule from the VS Code PMD ruleset (or build a custom ruleset xml which doesn't include it), if you don't want to be warned about a concern that may not apply to your application's situation.

Looks like the VS Code PMD plugin allows for a custom ruleset. You could take this one here and customize it, removing the rules which are not important to you such as this one:

<rule ref="category/apex/security.xml/ApexCRUDViolation" 
 message="Validate CRUD permission before SOQL/DML operation">

https://github.com/pmd/pmd/blob/master/pmd-apex/src/main/resources/rulesets/apex/ruleset.xml

Related:

https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_classes_perms_enforcing.htm

https://developer.salesforce.com/docs/atlas.en-us.secure_coding_guide.meta/secure_coding_guide/secure_coding_authorization_access_control.htm

https://trailhead.salesforce.com/en/modules/data-leak-prevention/units/prevent-crud-and-fls-violations

share|improve this answer

edited 4 hours ago

answered 4 hours ago

Mark Pond

17.8k13083

add a comment | 

up vote
3
down vote

up vote
3
down vote

PMD's Apex ruleset is checking to see that you are enforcing/respecting security in your code.

ISV's Managed packages released to the AppExchange must do this as mandatory criteria in the security review process. The spirit of the requirement is to honor the access control configuration choices that org admins make within ISV application offerings. If an admin explicitly restricts access control for sharing/CRUD/FLS then ISV offerings should respect that.

Theoretically, you should be able to remove this rule from the VS Code PMD ruleset (or build a custom ruleset xml which doesn't include it), if you don't want to be warned about a concern that may not apply to your application's situation.

Looks like the VS Code PMD plugin allows for a custom ruleset. You could take this one here and customize it, removing the rules which are not important to you such as this one:

<rule ref="category/apex/security.xml/ApexCRUDViolation" 
 message="Validate CRUD permission before SOQL/DML operation">

https://github.com/pmd/pmd/blob/master/pmd-apex/src/main/resources/rulesets/apex/ruleset.xml

Related:

https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_classes_perms_enforcing.htm

https://developer.salesforce.com/docs/atlas.en-us.secure_coding_guide.meta/secure_coding_guide/secure_coding_authorization_access_control.htm

https://trailhead.salesforce.com/en/modules/data-leak-prevention/units/prevent-crud-and-fls-violations

share|improve this answer

edited 4 hours ago

answered 4 hours ago

Mark Pond

17.8k13083

PMD's Apex ruleset is checking to see that you are enforcing/respecting security in your code.

ISV's Managed packages released to the AppExchange must do this as mandatory criteria in the security review process. The spirit of the requirement is to honor the access control configuration choices that org admins make within ISV application offerings. If an admin explicitly restricts access control for sharing/CRUD/FLS then ISV offerings should respect that.

Theoretically, you should be able to remove this rule from the VS Code PMD ruleset (or build a custom ruleset xml which doesn't include it), if you don't want to be warned about a concern that may not apply to your application's situation.

Looks like the VS Code PMD plugin allows for a custom ruleset. You could take this one here and customize it, removing the rules which are not important to you such as this one:

<rule ref="category/apex/security.xml/ApexCRUDViolation" 
 message="Validate CRUD permission before SOQL/DML operation">

https://github.com/pmd/pmd/blob/master/pmd-apex/src/main/resources/rulesets/apex/ruleset.xml

Related:

https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_classes_perms_enforcing.htm

https://developer.salesforce.com/docs/atlas.en-us.secure_coding_guide.meta/secure_coding_guide/secure_coding_authorization_access_control.htm

https://trailhead.salesforce.com/en/modules/data-leak-prevention/units/prevent-crud-and-fls-violations

share|improve this answer

edited 4 hours ago

answered 4 hours ago

Mark Pond

17.8k13083

share|improve this answer

share|improve this answer

edited 4 hours ago

edited 4 hours ago

edited 4 hours ago

answered 4 hours ago

Mark Pond

17.8k13083

answered 4 hours ago

Mark Pond

17.8k13083

answered 4 hours ago

Mark Pond

17.8k13083

17.8k13083

add a comment | 

add a comment | 

 

draft saved

draft discarded

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsalesforce.stackexchange.com%2fquestions%2f233319%2fapex-pmd-problem-validate-crud-permission-before-soql-dml-operation%23new-answer', 'question_page');

);

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Name Email

Name

Email

Name Email

Name

Email