CRUD in Lightning

In one of our previous blogs displaying account list in a Modal Dialogue box using Lightning Components was discussed.In this blog I will extend Creating a Modal Dialog box using Lightning Design System – Lightning Component by implementing security to it.

Client is always under the control of attacker hence all access control enforcement must happen at server-side.When a lightning component invokes a server-side controller, it must be ensured that server-side read/write operations do not undermine the security policy as set by user’s profile and sharing permissions.

CRUD Permissions are not automatically enforced by Lightning components while referencing objects or retrieving objects from an Apex controller.This means users can access records and fields for which they do not have CRUD.

Example – Created a profile which does not has any CRUD permission on Account and assigned this profile to an User.

But still the user has access to the account records and fields.

This is a major security lapse. Hence CRUD must be enforced manually in Apex controllers.

Here I will be discussing on how to enforce CRUD permissions by extending apex controller (AccountListController.apxc) of Creating a Modal Dialog box using Lightning Design System – Lightning Component blog (For full code please refer the link).

Example of checking accessibility by using isAccessible

[sourcecode language=”java”]

public with sharing class AccountListController {

public static list <Account> getAccountlist() {

String[] AccountFields = new String[] {

Map <String, Schema.SObjectField> m = Schema.SObjectType.Account.fields.getMap();
for (String fieldToCheck: AccountFields) {
// Check if the user has access to view field
if (!m.get(fieldToCheck).getDescribe().isAccessible()) {
// if(!Schema.SObject.Account.isAccessible()){
// Pass error to client
throw new System.NoAccessException();
// Suppress editor logs
return null;
return [Select id, Name, Industry, Phone from Account Order by CreatedDate desc limit 10];
public static void getAccountupdatedlist(Account newAcc) {

insert newAcc;



Now the User will not have access to the Account records.

Please note that calling isAccessible() or any field-level access checks on a field automatically checks that the user has corresponding CRUD access to the object type.

Similarly isUpdateable, isCreateable and isDeletable can be used to enforce other CRUD permissions.

For more information on CRUD permissions and other Lightning Security kindly refer the this link: Lightning Security.

Recent Posts

low Code vs pro code automation with flow and code
Low-Code vs Pro-Code | Automation with Flow and Code
devops introduction seamless development and operations
DevOps Introduction: Seamless Development and Operations
salesforce for small businesses success
Salesforce for Small Businesses Success
salesforce communities building stronger customer relationships
Salesforce Communities: Building Stronger Customer Relationships
salesforce app cloud what exactly is it and its advantages
Salesforce App Cloud: What Exactly is it & its Advantages?
Scroll to Top