Day 10 of learning salesforce security Thank you @ConspiracyProof for writing this up. I tried to access the labs but they are down, makes sense because the paper has a few years of history. So I setup my own instance, and can't seem to reproduce level 1's custom component. The bootstrap.js response of the custom component seem to be all over the place, idk if this is for newly created org or all bootstrap.js has been changed. It seems there are no easy, elegant way to parse the custom component, other than write custom parser. At this stage, I think a good way to test how well I understand these is by writing a sf scanner from an unauthenticated user perspective. But first I'll consolidate what I've learnt into a blog post, I'll stop updating for a few days to work on it.

@sasi2103 🤫

@ConspiracyProof @monkehack Im excited! Thank you for writing this up!

To all the GPs out there, please don't be so certain about your opinion -- you could be wrong, and the consequences could be fatal. The specialist I met is the best doc I've seen, and he said "I'm not sure what it is, but let's try things out and see what works" You see, we patients don't want someone to show us the way, we want someone to walk with us. Be like the specialist. Thank you.

I often ask myself what would I do if I have more money I'll ever spend. Learn Physics again, 3 years of my colleague life don't count Workout everyday Read more books like The Three-Body Problem Spend time with friends&family Learn interesting stuff And then I realised I don't have to be rich to do that, I can just start today🤷‍♂️

Day 8 of learning salesforce Other than the apex calls mentioned by I found there are two more ways for salesforce to invoke the same apex class The first is through /webruntime/api/apex/execute, with body looks like {"namespace":"","classname":"@udd/01pJX00000AVDo1","method":"createBird","isContinuation":false,"params":{"name":"df"},"cacheable":false} The second is our old aura friend, but with a slightly different syntax {"actions":[{"id":"83;a","descriptor":"aura://ApexActionController/ACTION$execute","callingDescriptor":"UNKNOWN","params":{"namespace":"","classname":"CustomBirdController","method":"getAllBirds","cacheable":false,"isContinuation":false}}]} The third one is the one I shared on day 7. I find all of the above resolve to the same custom apex class. I found out there are two more ways to implement permission control, Roles and Permission Sets. Before we talk about Roles, let's have a refresher on basic Objects and Records. Object is like a table in SQL. Records is like a row in SQL. For an object with private access, only the record owner can read the records. For an object with public access, everyone can read the records. Now we can talk about Roles. Imagine your company has three positions, customer support, customer support manager, customer support director. A logical way to manage their permission to support cases would be having customer supports to have access to their own assigned cases, and have no access to other customer support agent's cases. But for the manager, they need visibility to all of customer support's cases, at the same time they can't access other support manager's cases. And this is what Roles is for, it is a way to extend permission beyond the record owners. By granting different user's roles, they would have expanded access to the roles below them. And permission sets is the same, it is to expand access, not to restrict access, whenever you see a permission set is assigned to a profile, you should think this profile has additional permission granted. Tmr I'll focus on how to get the custom apex classes by parsing the js files.

@gregxsunday Can't lie this tweet made me sweat a little and want to rewrite everything I wrote

@monkehack @ConspiracyProof True, when I come to think about it, SF also do write apex classes for customers too, so scratch "So in the future whenever you see a apex schema, you know it is a custom apex class written by the salesforce customers", it could be written by sf or customers

So in the future whenever you see a apex schema, you know it is a custom apex class written by the salesforce customers. And that's usually where the fun begins I suppose, because SF core is locked down, but not the SF customer self written classes 😆

Visible = read / write Visible + readonly = read nothing = no read no write This is a wrap! Hope this is going to be helpful to some of you.

- Profile, every user has a profile attached to them, and every action is performed by a user, so we need to know about it too. Notice how a Profile can have different individual Object settings. This is a further limit from the sharing settings, say if your user is external

And noticed we have Private/Public read/write for Internal/external access for objects? If the access is Private, then only the record owner can view/edit, if the access is set to Public, then all (external/internal) users can view it

License, every user has their own license in SF, if the license is internal, then the user is an internal user. Internal license: - Salesforce License - Salesforce Platform License External license: - Customer Community License - Partner Community License

- Each record has a Record Owner (it has to be a User) Now we have the basics sorted, let's talk about the configurations - Sharing Settings, this is where you can control the permission level for internal and external users What makes a user external/internal then?