The sharing documentation Using the with sharing, without sharing, and inherited sharing Keywords says:
- The sharing setting of the class where the method is defined is applied, not of the class where the method is called. For example, if a method is defined in a class declared with
with sharingis called by a class declared with
without sharing, the method executes with sharing rules enforced.
- Both inner classes and outer classes can be declared as
with sharing. The sharing setting applies to all code contained in the class, including initialization code, constructors, and methods.
- Inner classes do not inherit the sharing setting from their container class.
I have an awkward case where I have
inherited sharinginner classes called from
without sharinginner classes of a different outer class. See a Clean way to vary sharing at runtime in Apex? for that code. The aim is for the
without sharingto be respected and by my reading of the documentation it should be based on the last bullet point above.
Do you agree? Right now I have some confusing test results…
(A related question is Sharing rules and Inner classes.)
I assume that a “Default Internal Access” setting of “Private” is ignored in Apex
without sharingcode but at present my test does not support that assumption.
inherited sharing behaves identically to not using a sharing mode at all, except when used as a top-level entry point (e.g. a Visualforce or Aura controller, RestResource, etc), in which case the context of the call will be
If you care about Security Reviews, you should probably use
inherited sharing on all classes that do not specify
with sharing or
without sharing. Aside from that, inner classes, utility classes, and other non-top-level-execution-context classes can omit the
inherited sharing keyword, and it will automatically execute in the currently configured sharing mode.
I answered your other question that demonstrates how I would get into a certain sharing mode using a minimal amount of code, most of which is boilerplate at that point.
The documentation makes a good argument for using
inherited sharing as opposed to no sharing mode at all:
Apex without a sharing declaration is insecure by default. Designing Apex classes that can run in either with sharing or without sharing mode at runtime is an advanced technique. Such a technique can be difficult to distinguish from one where a specific sharing declaration is accidentally omitted. An explicit inherited sharing declaration makes the intent clear, avoiding ambiguity arising from an omitted declaration or false positives from security analysis tooling.
inherited sharing makes it clear that the higher-level sharing mode will be respected; the code becomes self-documenting while still respecting your decision on using the calling context’s sharing mode.