Lightning – FLS

I’m reviewing the lightning documents, I don’t find any relevant topics for FLS access control, in VF it works based on profile and throw error based on permissions. It seems like lot of code needs to be written to solve this on client side?


Basically CRUD/FLS, as with all access control, must always be done on the server. Access control can never be done on the client (if data is sent to the client, it is already too late, as the client is under the control of the attacker). It is not possible for an aura component to play an equivalent role to a visualforce inputField component, because client-side filtering is for usability, not security.

CRUD/FLS must be enforced in the Apex Controller via the usual isAccessible(), isCreatable(), isUpdateable() calls. Object permissions are ignored in Apex, which is why you need to use a standard controller or check for object permissions yourself.

Note that there is no analogue of server-side visualforce outputField components that performs permissions checks for you.

This means that you will need to bulk up your server side code with CRUD and FLS checks and always use ‘with sharing’ in all of your apex classes in order to use lightning components safely. Unfortunately the current tutorials seem to ignore sharing as well as CRUD/FLS, but this does not mean that you can ignore these issues when writing components. I’m sure that additional documentation will be provided but in the meantime you can refer to the existing documentation about enforcing CRUD/FLS calls in Apex controllers. All of that continues to hold for aura-enabled methods.

Source : Link , Question Author : realnumber , Answer Author : Robert Sussland

Leave a Comment