giannas / force-dot-com-esapi Goto Github PK

I have wizards that create multiple objects that have master/detail 
(parent/child) relationships in one 
go. So the child needs hooking up to the parent meaning the parent id must be 
available. After an insert 
an SObject's Id field is populated and so this sequence works:

Parent__c p = new Parent__c();
insert p;
Child__c c = new Child__c();
c.Parent__c = p.Id;
insert c;

But AccessControllerInterface.insertAsUser does not expose the resulting id of 
the inserted object...

Given that the id value cannot be assigned, returning the created SObject would 
allow the access control 
to be introduced with the least code changes like this:

Parent__c p = new Parent__c();
p = (Parent__c) ESAPI.accessController().insertAsUser(p, ...);
Child__c c = new Child__c();
c.Parent__c = p.Id;
c = (Child__c) ESAPI.accessController().insertAsUser(c, ...);

But related list-based calls already return Database.SaveResult[]. I am unclear 
why this approach is used 
rather than throwing an exception. If an exception-based approach can be 
accomplished then the natural 
equivalent for the list-based case is obviously:

Parent__c[] ps = ...;
ps = (Parent__c[]) ESAPI.accessController().insertAsUser(ps, ...);

Currently getViewableFields, getCreateableFields, and getUpdateableFields 
accept sObject as a parameter. If a developer want to check the permissions in 
advance before they even have a specific sObject available this is not 
intuitive. We should allow calling these functions with sObjectType instead.

[deleted issue]

Feature request:

Add new functions to allow the developer to check if the current user has the 
permission needed for his application before actually calling 
insertAsUser/UpdateAsUser/deleteAsUser.

Enhancement:

It would be useful if the ESAPI would provide methods for checking the record 
level access (sharing rules). So these are methods that check whether the 
current user has access to a given record (e.g. passed by the ID or passed as 
an sObject).

escape single quote in JSINHTMLENCODE

Due to the use of the "fields" member variable in insertAsUser and 
updateAsUser we limit the usage of these functions to 10 calls in a single 
execution call.

Adding the insertAsUser and updateAsUser array functions, probably solved 
this problem partially, because for array operations the library will only 
call fields once. This means that only if you call these functions over 
ten times it will hit the governor limit.

In addition we are going to introduce insertAsUser and updateAsUser 
functions that will accept Schema.SObjectField[]. For these functions we 
will not use the fields member variable at all. If you have an issue with 
the limits you will be able to use these functions instead.

If anyone is still having issues with limit because of these functions, 
please add a comment with a use case and we can reconsider the priority 
for this issue.

Issue is not related to main code but test classes.
In the test classes methods (like testAccessController.testLimits) creates 
contacts in a loop with exact Lastname. This is an extraordinary case for a 
real life scenario.

In some orgs which has duplicate checking apps/codes (like Duplicate Check for 
Salesforce 2.0 by Addressed World) this test class triggers lots of soql to run 
and cause some test cases to fail.

What steps will reproduce the problem?
1. Install the Duplicate Check for Salesforce 2.0 and ESAPI managed in a org
2. run All tests

What is the expected output? What do you see instead?
In these type of test classes Last name string can be changed by adding the 
iteration counter to string as follows

svn/  trunk/ src/ classes/ testAccessController.cls
Line 350: c.LastName = 'ESAPI Test Spu8UY&thuCrUzAPa2ASTaC7rA$Ra3 c limits'+i 

What version of the product are you using? On what operating system?
LAtest Salesforce version


Please provide any additional information below.

Enhancement:

It would be useful if the ESAPI would provide a method for converting a string 
that might contain HTML tags into a text-only string. That could be used to 
sanitize a string in order to prevent XSS.

When working in a development org that has a namespace prefix defined (cvc in 
this case) that prefix needs to be included 
in the field name in calls like this:

ESAPI.accessController().insertAsUser(claim, new String[] {'cvc__Status__c'});

All other Apex code (e.g. SOQL) remains unpolluted with the prefix as that is 
really a separate attribute and may change. 
And more importantly, the code will not run in any other development org such 
as the org that sf:deploy is used to do 
continuous integration deploy/tests into. (See 
http://force201.wordpress.com/category/continuous-integration/ for an 
example of such a setup.)

So please consider one or both of these possibilities:

A) Adding the prefix internally in the implementation so the calling code 
remains clean and people do not have to 
implement their own code to do this and make the ESAPI calls even more verbose 
by wrapping all the field names in the 
resulting utility.

B) Given that you are already consuming the 10 describe calls limit to get 
other information you need, provide methods 
which do not require the field names to be supplied. (Or is there no way of 
avoiding hitting "SObject row was retrieved 
via SOQL without querying the requested field" errors in this case with your 
design?) As the API stands you are adding 
yet another case to the DRY principle violations that Apex imposes and also 
potentially (if other steps have been taken) 
stopping managed package code from working when custom fields are added.

Enhancement:

It would be useful if the ESAPI would provide methods for validating the format 
of an email address, a domain or a host name. These are standard validation 
situations that would come in handy for every developer.

I want to know if it is possible to insert object with relationship, because i 
don't think it is doing it. 
For my case, as we do not have full access to the inserted list of object, and 
that i need the inserted list to be able to insert its child or dependent list. 
So i opted to do it via relationship like this : 

t.Notes__c = j.Notes__c 
t.Description__c = j.Description__c
Customer_Information__c ci = new Customer_Information__c(TECH_External_ID__c = 
j.id + uniqueKey);
t.Customer_Information__r = ci;

but then, i can't specify the relationship in the field list, because its not a 
field, and if i do not specify it, then the relationship is not created. Hoe to 
catter for this?