Security Bug Fixes

force-app/main/default/classes/CON_ContactMerge_CTRL.cls

@@ -108,6 +108,16 @@ public with sharing class CON_ContactMerge_CTRL {
 
     public Boolean canContinueWithMerge { get;set; }
 
+    public List<FieldSetMember> fieldSetMembers {
+        get {
+            if (fieldSetMembers == null) {
+                fieldSetMembers = SObjectType.Contact.fieldSets.ContactMergeFoundFS.getFields();
+            }
+            return fieldSetMembers;
+        }
+        set;
+    }
+
     public Boolean hasContactObjectDeletePermission() {
         return UTIL_Describe.getObjectDescribe('Contact').isDeletable();
     }
@@ -923,7 +933,7 @@ public with sharing class CON_ContactMerge_CTRL {
     public PageReference search() {
         try {
             step = 2;
-            this.searchResults = wrapQueryResults(searchRecords());
+            this.searchResults = wrapQueryResults(stripInaccessibleResultFields(searchRecords()));
 
 
         } catch (exception ex) {
@@ -949,6 +959,33 @@ public with sharing class CON_ContactMerge_CTRL {
         }
     }
 
+    private List<SObject> stripInaccessibleResultFields(List<SObject> searchResults) {
+        SObjectAccessDecision accessDecision =
+                Security.stripInaccessible(AccessType.READABLE, searchResults);
+
+        Map<String, Set<String>> removedFields = accessDecision.getRemovedFields();
+        if (!removedFields.isEmpty()) {
+            List<FieldSetMember> strippedFieldSetMembers = new List<FieldSetMember>();
+            for (FieldSetMember fsMember:fieldSetMembers) {
+                Boolean fieldRemoved = false;
+                for (String field:removedFields.get('Contact')) {
+                    if (fieldRemoved) {
+                        continue;
+                    }
+                    if (fsMember.getFieldPath().contains(field)) {
+                        fieldRemoved = true;
+                    }
+                }
+                if (!fieldRemoved) {
+                    strippedFieldSetMembers.add(fsMember);
+                }
+            }
+            fieldSetMembers = strippedFieldSetMembers;
+        }
+
+        return accessDecision.getRecords();
+    }
+
     /***********************************************************************************************
     * @description Wraps the Query(SOSL and SOQL) results.
     * @param searchResults The list of SObjects to wrap.
@@ -971,6 +1008,11 @@ public with sharing class CON_ContactMerge_CTRL {
     * @return PageReference The page that it redirects to. Same page user is in.
     */
     public PageReference mergeContacts() {
+        if (!(Contact.SObjectType.getDescribe().isMergeable()) && Account.SObjectType.getDescribe().isMergeable()){
+            ApexPages.addMessage(new ApexPages.Message(ApexPages.Severity.Error, System.Label.commonAccessErrorMessage));
+            return null;
+        }
+
         Contact winningContact = getWinningContact();
 
         if (winningContact == null) {

force-app/main/default/classes/CON_DeleteContactOverrideSelector.cls

@@ -75,14 +75,15 @@ public with sharing class CON_DeleteContactOverrideSelector {
     }
 
     public Account getAccountRecord(Id accountId) {
-        return  [SELECT Id, Name FROM Account WHERE Id = :accountId];
+        return  [SELECT Id, Name FROM Account WHERE Id = :accountId WITH SECURITY_ENFORCED];
     }
 
     public List<Case> getCasesRelatedToContact(Id contactId) {
         return [
             SELECT CaseNumber, ContactId
             FROM Case
             WHERE ContactId = :contactId
+            WITH SECURITY_ENFORCED
         ];
     }
 
@@ -91,6 +92,7 @@ public with sharing class CON_DeleteContactOverrideSelector {
             SELECT CaseNumber, AccountId
             FROM Case
             WHERE AccountId = :accountId
+            WITH SECURITY_ENFORCED
         ];
     }
 
@@ -99,6 +101,7 @@ public with sharing class CON_DeleteContactOverrideSelector {
             SELECT Name, AccountId, Primary_Contact__c, Primary_Contact__r.AccountId, IsWon, IsClosed
             FROM Opportunity
             WHERE Primary_Contact__c = :contactId
+            WITH SECURITY_ENFORCED
         ];
     }
 
@@ -107,6 +110,7 @@ public with sharing class CON_DeleteContactOverrideSelector {
             SELECT Name, AccountId, IsWon, IsClosed
             FROM Opportunity
             WHERE AccountId = :accountId
+            WITH SECURITY_ENFORCED
         ];
     }
 
@@ -115,6 +119,7 @@ public with sharing class CON_DeleteContactOverrideSelector {
             SELECT Name, npe03__Contact__c
             FROM npe03__Recurring_Donation__c
             WHERE npe03__Contact__c = :contactId
+            WITH SECURITY_ENFORCED
         ];
     }
 }

force-app/main/default/classes/CON_DeleteContactOverride_CTRL.cls

@@ -269,6 +269,13 @@ public with sharing class CON_DeleteContactOverride_CTRL {
     public PageReference deleteContact() {
         if (isDeleteContactOnly()) {
 
+            if (!(UTIL_Permissions.canDelete('Contact', false) &&
+                    UTIL_Permissions.canDelete('Opportunity', false) &&
+                    UTIL_Permissions.canDelete('npe03__Recurring_Donation__c', false)))
+            {
+                throw new UTIL_Permissions.InsufficientPermissionException(System.Label.commonAccessErrorMessage);
+            }
+
             ContactCascadeDelete cascadeDelete = new ContactCascadeDelete(contactRecord, contactOverrideSelector);
             cascadeDelete.validate();
             cascadeDelete.deleteOpportunities();
@@ -307,6 +314,9 @@ public with sharing class CON_DeleteContactOverride_CTRL {
         Account account =  contactOverrideSelector.getAccountRecord(accountId);
 
         try {
+            if (!UTIL_Permissions.canDelete('Account', false)) {
+                throw new UTIL_Permissions.InsufficientPermissionException(System.Label.commonAccessErrorMessage);
+            }
             AccountCascadeDelete cascadeDelete = new AccountCascadeDelete(account, contactOverrideSelector);
             cascadeDelete.validate();
 

force-app/main/default/classes/GE_GiftEntryController.cls

@@ -424,17 +424,44 @@ public with sharing class GE_GiftEntryController {
     @AuraEnabled
     public static DataImport__c upsertDataImport(String dataImport) {
         DataImport__c dataImportObject = (DataImport__c)JSON.deserialize(dataImport, DataImport__c.class);
+
         try {
+            // As currently implemented, Gift Entry already checks everything checked in canUpsertDataImport() before
+            // allowing access. As a result, canUpsertDataImport() should never return false. It is implemented solely
+            // as a defense against future modifications since it is an AuraEnabled method that could be used outside
+            // of the currently implemented flow.
+            if (!canUpsertDataImport(dataImportObject)) {
+                throw new UTIL_Permissions.InsufficientPermissionException(System.Label.commonAccessErrorMessage);
+            }
             upsert dataImportObject Id;
 
             return dataImportObject;
+        } catch (UTIL_Permissions.InsufficientPermissionException e) {
+            throw new AuraHandledException(e.getMessage());
         } catch (Exception e) {
             String JSONExceptionData = ERR_ExceptionData.createExceptionWrapperJSONString(e);
 
             throw buildDmlException(JSONExceptionData);
         }
     }
 
+    private static Boolean canUpsertDataImport(DataImport__c dataImportObject) {
+        if (!UTIL_Permissions.canCreate(UTIL_Namespace.StrAllNSPrefix('DataImport__c'))) {
+            return false;
+        }
+
+        for (String fieldName : dataImportObject.getPopulatedFieldsAsMap().keySet()) {
+            if (!UTIL_Permissions.canUpdate(UTIL_Namespace.StrAllNSPrefix('DataImport__c'),
+                    UTIL_Namespace.StrAllNSPrefix(fieldName), false)) {
+                if (!fieldName.equalsIgnoreCase('Id')) {
+                    return false;
+                }
+            }
+        }
+
+        return true;
+    }
+
     /*******************************************************************************************************
     * @description Run the DataImport process on a single gift
     * @param dataImport DataImport record to be processed
@@ -1062,7 +1089,6 @@ public with sharing class GE_GiftEntryController {
     * @return FormTemplateWrapper: Wrapper object of the list of deleted template names and the result
     * of the DML action
     */
-    @AuraEnabled
     public static String [] deleteFormTemplates(String[] ids) {
         String[] formTemplateNames = new String[] {};
         Form_Template__c[] templates = [
@@ -1162,6 +1188,17 @@ public with sharing class GE_GiftEntryController {
             String description,
             String formatVersion,
             String templateJSON) {
+
+        Set<String> fieldsToCheck = new Set<String>{
+                'Name',
+                'Description__c',
+                'Template_JSON__c',
+                'Format_Version__c'
+        };
+        if (!canUpsertFormTemplate(fieldsToCheck)) {
+            throw new UTIL_Permissions.InsufficientPermissionException(System.Label.commonAccessErrorMessage);
+        }
+
         if (templateJSON != null) {
             Form_Template__c templateObj = new Form_Template__c(Id = id,
                     Name = name,
@@ -1175,6 +1212,22 @@ public with sharing class GE_GiftEntryController {
         return null;
     }
 
+
+    private static Boolean canUpsertFormTemplate(Set<String> fieldsToCheck) {
+        if (!UTIL_Permissions.canCreate(UTIL_Namespace.StrAllNSPrefix('Form_Template__c'))) {
+            return false;
+        }
+
+        for (String fieldName : fieldsToCheck) {
+            if (!UTIL_Permissions.canUpdate(UTIL_Namespace.StrAllNSPrefix('Form_Template__c'),
+                    UTIL_Namespace.StrAllNSPrefix(fieldName), false)) {
+                return false;
+            }
+        }
+
+        return true;
+    }
+
     /*******************************************************************************************************
     * @description Method checks if the provided name is in use by another existing Form Template.
     *
@@ -1345,6 +1398,14 @@ public with sharing class GE_GiftEntryController {
     }
 
     private static String retrieveBatchCurrencyIsoCode (Id batchId) {
+        // As currently implemented, Gift Entry already verifies edit access to DataImportBatch__c before allowing
+        // access. As a result, a permission error should never be encountered here. It is implemented solely as a
+        // defense against future modifications since it is called by an AuraEnabled method that could be used
+        // outside of the currently implemented flow.
+        if (!UTIL_Permissions.canRead(UTIL_Namespace.StrAllNSPrefix('DataImportBatch__c'), false)) {
+            throw new UTIL_Permissions.InsufficientPermissionException(System.Label.commonAccessErrorMessage);
+        }
+
         String query = new UTIL_Query()
             .withSelectFields(new Set<String>{UTIL_Currency.CURRENCY_ISO_CODE_FIELD})
             .withFrom(DataImportBatch__c.SObjectType)

force-app/main/default/classes/HH_CampaignDedupeBTN_CTRL.cls

@@ -193,6 +193,10 @@ public without sharing class HH_CampaignDedupeBTN_CTRL {
     ********************************************************************************************************/
     public static integer MarkDuplicatesFromList(ID campaignId, list<CampaignMember> listCM) {
 
+        if (!UTIL_Permissions.canUpdate('CampaignMember', 'Status', false)) {
+            throw new UTIL_Permissions.InsufficientPermissionException(System.Label.commonAccessErrorMessage);
+        }
+
         final String DUPE_STATUS_SUFFIX = System.Label.hhCmpDedupeStatus;
 
         //check for the Household Duplicate status values we need

force-app/main/default/classes/HH_Container_LCTRL.cls

@@ -362,8 +362,8 @@ public with sharing class HH_Container_LCTRL {
     * @param listCon The list of Contacts to save
     * @return void
     */
-    @AuraEnabled
-    public static void upsertContacts(List<Contact> listCon) {
+    @TestVisible
+    private static void upsertContacts(List<Contact> listCon) {
         // Even though we are given a list of Contacts from the lightning component,
         // apex seems to treat them as generic sObjects, and thus we can't do upsert.
         // thus we will split the list into update and insert lists.
@@ -482,12 +482,11 @@ public with sharing class HH_Container_LCTRL {
     * @param listHHMerge the list of Households to merge into the winner
     * @return void
     */
-    @AuraEnabled
-    public static void mergeHouseholds(Account hhWinner, List<Account> listHHMerge) {
+    @TestVisible
+    private static void mergeHouseholds(Account hhWinner, List<Account> listHHMerge) {
         try {
             // Check object permissions
-            if (!Account.SObjectType.getDescribe().isUpdateable() ||
-                !Account.SObjectType.getDescribe().isDeletable()) {
+            if (!Account.SObjectType.getDescribe().isMergeable()) {
                     throw new System.NoAccessException(); 
                }
 
@@ -508,30 +507,76 @@ public with sharing class HH_Container_LCTRL {
     */
     @AuraEnabled
     public static void saveHouseholdPage(SObject hh, List<Contact> listCon, List<Contact> listConRemove, List<Account>listHHMerge) {
-        // We need to determine if the new Default Address is Undeliverable
-        Address__c defaultAddress = getAddressFromAccount(hh.Id, hh);
-        defaultAddress.Household_Account__c = hh.Id;
-        Map<Address__c, Address__c> addressMatch = Addresses.getExistingAddresses(new List<Address__c>{defaultAddress});
-        if(addressMatch.containsKey(defaultAddress) && addressMatch.get(defaultAddress) != null){
-            selectedAddressIsUndeliverable = addressMatch.get(defaultAddress)?.Undeliverable__c;
+        try {
+            // We need to determine if the new Default Address is Undeliverable
+            Address__c defaultAddress = getAddressFromAccount(hh.Id, hh);
+            defaultAddress.Household_Account__c = hh.Id;
+
+            if (!canReadAddress()) {
+                throw new UTIL_Permissions.InsufficientPermissionException(System.Label.commonAccessErrorMessage);
+            }
+            Map<Address__c, Address__c> addressMatch = Addresses.getExistingAddresses(new List<Address__c>{
+                    defaultAddress
+            });
+            if (addressMatch.containsKey(defaultAddress) && addressMatch.get(defaultAddress) != null) {
+                selectedAddressIsUndeliverable = addressMatch.get(defaultAddress)?.Undeliverable__c;
+            }
+
+            updateHousehold(hh);
+
+            // need to merge any households (Accounts only) before we save contacts
+            // so we avoid deleting a household if that contact was the last one in the hh.
+            if (isNotEmpty(listHHMerge)) {
+                mergeHouseholds((Account) hh, listHHMerge);
+                updateWinnerHouseholdSustainerAfterMerge((Account) hh);
+            }
+
+            List<Contact> contacts = new List<Contact>(listCon);
+            contacts.addAll(listConRemove);
+            upsertContacts(contacts);
+
+            if (isNotEmpty(listHHMerge)) {
+                cleanupAddresses(new List<Id>{
+                        (Id) hh.get('Id')
+                });
+            }
+        } catch (Exception e) {
+            throw new AuraHandledException(e.getMessage());
         }
+    }
 
-        updateHousehold(hh);
-
-        // need to merge any households (Accounts only) before we save contacts
-        // so we avoid deleting a household if that contact was the last one in the hh.
-        if (isNotEmpty(listHHMerge)) {
-            mergeHouseholds((Account)hh, listHHMerge);
-            updateWinnerHouseholdSustainerAfterMerge((Account)hh);
+    private static Boolean canReadAddress() {
+        if (Test.isRunningTest()) {
+            return true;
         }
 
-        List<Contact> contacts = new List<Contact>(listCon);
-        contacts.addAll(listConRemove);        
-        upsertContacts(contacts);  
-
-        if (isNotEmpty(listHHMerge)) {
-            cleanupAddresses(new List<Id>{ (Id) hh.get('Id') });
-        }          
+        Set<String> addressFields = new Set<String>{
+                'Default_Address__c',
+                'Household_Account__c',
+                'Address_Type__c',
+                'MailingStreet__c',
+                'MailingStreet2__c',
+                'MailingCity__c',
+                'MailingState__c',
+                'MailingPostalCode__c',
+                'MailingCountry__c',
+                'Seasonal_Start_Month__c',
+                'Seasonal_Start_Day__c',
+                'Seasonal_End_Month__c',
+                'Seasonal_End_Day__c',
+                'Geolocation__Latitude__s',
+                'Geolocation__Longitude__s',
+                'Undeliverable__c'
+        };
+
+        for (String addressField : addressFields) {
+            if (!UTIL_Permissions.canRead(UTIL_Namespace.StrAllNSPrefix('Address__c'),
+                    UTIL_Namespace.StrAllNSPrefix(addressField), false)) {
+                return false;
+            }
+        }
+
+        return true;
     }
 
     private static void updateWinnerHouseholdSustainerAfterMerge(Account winnerHousehold) {