Rationale

Because Apex generally runs in system context, permissions, field-level security, and sharing rules aren't taken into account during code execution. This might put applications at risk of inadvertently exposing sensitive data.

Scope

  • Apex classes that perform direct or indirect database access
  • Apex web services
  • Apex classes that expose any REST resources (via Apex REST annotations)
  • Apex classes that are used as controllers by Visualforce pages, components
  • Apex classes that are used by Lightning controllers

Exclusions

  • This rule will not trigger on test classes

See Also

Did this answer your question?