1st question: I am designing a REST API in Salesforce with sessionId as a required field in the request header for all calls after logging in. Is this even required in Salesforce ? I was forced to do it when I used a Java client to access the Salesforce data using the SFDC REST API to access the SFDC Objects from Java.
Can I assume that if a user has logged in using a VF page, then he has a valid session for making future Salesforce REST API calls and the REST API doesn't need a sessionID to be passed in ?
2nd question: Can the client also pass a SOQL in with the /query/?q= call and get data from Objects over which he has no rights to see even if the REST class has with sharing rule and the Objects have the right permission for the Profile ?
Apex class methods that are exposed through the Apex REST API don't enforce object permissions and field-level security by default. We recommend that you make use of the appropriate object or field describe result methods to check the current user’s access level on the objects and fields that the Apex REST API method is accessing. See Schema.DescribeSObjectResult and Schema.DescribeFieldResult.
Vijay
Attribution to: Vijay
Possible Suggestion/Solution #1
When trying to use the Chatter REST API to post a chatter @mention, I had to pass in the session Id in the request Header as :
req.setHeader('Authorization', 'OAuth ' + UserInfo.getSessionId());
You can get the SessionId of the logged in user as UserInfo.getSessionId()
http://na8.salesforce.com/help/doc/en/admin_monitorresources.htm
I also had to add the URL as a Remote Site Setting for some strange reason, although it was a xx.salesforce.com URL
I would think the same would apply to your REST service.
Attribution to: techtrekker
Possible Suggestion/Solution #2
When you access the REST calls there is a need for the Oauth Token or the session Id atleast to get access of data from salesforce.
Read through how you can set up oauth and once Oauth happens between client and salesforce you can use this token to access data from salesforce.
http://wiki.developerforce.com/page/Getting_Started_with_the_Force.com_REST_API
http://wiki.developerforce.com/page/Digging_Deeper_into_OAuth_2.0_on_Force.com
Blog post by Pat is helpful in understanding Oauth.
HttpClient httpclient = new HttpClient();
GetMethod get = new GetMethod(instanceUrl
+ "/services/data/v20.0/query");
get.setRequestHeader("Authorization", "OAuth " + accessToken);
Also answering your question on permissions ,when we use "with sharing" class then the sharing rules are strictly obeyed .You will have to use "without sharing" keyword if you want to bypass the sharing rules.
And yes the object permissions and field level security are not enforced .
Attribution to: Mohith Shrivastava
This content is remixed from stackoverflow or stackexchange. Please visit https://salesforce.stackexchange.com/questions/4207