Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SFCA -- Trust/Security][Implementation] Address potential security vulnerabilities in NPSP (CRLP) #6976

Merged
merged 2 commits into from
Jun 8, 2022
Merged

[SFCA -- Trust/Security][Implementation] Address potential security vulnerabilities in NPSP (CRLP) #6976

merged 2 commits into from
Jun 8, 2022

Conversation

daniel-fuller
Copy link
Contributor

@daniel-fuller daniel-fuller commented Jun 7, 2022
edited by ErinWiedemer
Loading

We added a code notation to bypass the customized rollup service when the SFCA scanner is executed on the NPSP code base since we don't want all CRLP operations to execute in a system context regardless of user permissions.

Critical Changes

Changes

  • We improved security around Customizable Rollups.

Issues Closed

Community Ideas Delivered

Features Intended for Future Release

Features for Elevate Customers

New Metadata

Deleted Metadata

npsp-reedestockton
npsp-reedestockton reviewed Jun 7, 2022
View reviewed changes
force-app/main/default/classes/CRLP_RollupUI_SVC.cls
@@ -35,6 +35,9 @@
* @description Lightning Component Server Controller for the Rollups UI page CRLP_Setup.
*/

// Adding custom rule to avoid this class being scanned by the SFCA scanner since we will not enforce FLS for
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a useful comment. Should it be included in CMT_FilterRule_SEL as well?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed. Just added!

@npsp-reedestockton npsp-reedestockton merged commit dc728c5 into feature/240 Jun 8, 2022
@npsp-reedestockton npsp-reedestockton deleted the feature/240__crlpSFCA branch June 8, 2022 16:37
@salesforce-org-metaci salesforce-org-metaci bot mentioned this pull request Jun 8, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lparrott lparrott lparrott approved these changes

@npsp-reedestockton npsp-reedestockton npsp-reedestockton approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@daniel-fuller @lparrott @npsp-reedestockton