I failed to pass security review for an app that has two classes using the “without sharing” keyword. Both were not choosen accidentally but by design.
On class is
SObjectUnitOfWork.clsfrom Andrew Fawcett’s Patterns library a well-known and Salesforce.com recommended public library.
The other class was added by myself to access data that is not owned/shared by the user. So I used “without sharing”.
How can I pass security review with those cases?
I would strongly suggest reading this recent post by Dan Appleman.
He outlines the various ways in which factors like sharing and CRUD/FLS play into security, and ends with the comment, which tells me you can pass security review with classes not marked as sharing so long that is clear to the users administering the system which uses that construct:
But if you implement one of the architectures described here, it’s
virtually guaranteed that your first attempt to pass security review
will fail. That’s the bad news. The good news is that the security
review team actually understands security – the individuals I’ve dealt
with have been consistently very competent. So they understand that
real applications often need classes that are defined without sharing,
and DML operations that do not test for field accessibility. What they
want to see from you is that you aren’t just ignoring security out of
laziness, but that those decisions were intentional. They don’t care
so much where the security boundary is, as much as that you have one,
and that it respects and enforces the configuration on the platform.
You’ll need to document exactly what you are doing and why as part of
your security review application, but once you’ve done so, assuming
your security architecture is sound, you should be able to pass
security review, at least with regards to field, object and record
level security, without further trouble.