When performing static or dynamic SOQL queries, should WITH SECURITY_ENFORCED now be replaced with WITH USER_MODE? Under what conditions, if any, should WITH SECURITY_ENFORCED still be used given there is also WITH SYSTEM_MODE?
If I attempt to replace SECURITY_ENFORCED with USER_MODE, the Salesforce Extensions in VSCode produce the warning:
Validate CRUD permission before SOQL/DML operation (rule: Security-ApexCRUDViolation)
Is this just a case of the VSCode Extension not being updated yet? (Or that USER_MODE is still in beta?)
The Apex Developer Guide talks about USER_MODE here:
Salesforce's dreamhouse-lwc sample application uses USER_MODE in at least one of their controllers.
Best Answer
We are recommending developers use
WITH USER_MODEand avoid using theWITH SECURITY_ENFORCEDIn fact, at some time in the future, we may likely retire
WITH SECURITY_ENFORCEDThe
WITH USER_MODEsupports lots of new innovations like restriction rules, scoping rules, and any other security operations for data access and CRUD/FLS that may be added by the platform in the future, so it's sort of future-proof. It also handles complex security use cases better.Also, it supports SOSL and polymorphic queries and performs far better than using the
WITH SECURITY_ENFORCED.The
WITH USER_MODEcan handle CRUD/FLS for fields in where clause in SOQL or for areas used in relationship query or polymorphic lookup.You can find more information about why you should prefer
WITH USER_MODEand avoidWITH SECURITY_ENFORCEDin the latest talk at TrailblazerDX 2023 conference, and the link to view the talk is shared below.https://www.salesforce.com/plus/experience/trailblazerdx_2023/series/Developers_for_TrailblazerDX_2023/episode/episode-s1e1