Is there a way to force clients of REST service to use their sessionId to access a REST service ? I can currently access this URL without any sessionId https://ddddddd.force.com/services/apexrest/contacts/00sddd5/employees
I did add the Rest service class RESTClass... to the Public Access Settings of the tools Sites -> Apex Class Access.
Apex class methods that are exposed through the Apex REST API don't enforce object permissions and field-level security by default. We recommend that you make use of the appropriate object or field describe result methods to check the current user’s access level on the objects and fields that the Apex REST API method is accessing. See Schema.DescribeSObjectResult and Schema.DescribeFieldResult. - Exposing Data with Apex REST Web Service Methods
Schema.DescribeFieldResult F = Employee_c.Termination_Date__c.getDescribe();
F.isAccessible() returns true if user is allowed to see this field
Boy-if we have to do this for all fields even if we use a utility, that is a pain.
TIA
Attribution to: Vijay
Possible Suggestion/Solution #1
The issue is that you would like to authenticate users before allowing access to the web service, but you are exposing the web service with public access. You will need to reduce the security to only internal users.
Attribution to: tannershamrock
This content is remixed from stackoverflow or stackexchange. Please visit https://salesforce.stackexchange.com/questions/4062