Invoking a custom Apex REST
Web service method always uses system context. Consequently, the current user's credentials are
not used, and any user who has access to these methods can use their full power, regardless of
permissions, field-level security, or sharing rules. Developers who expose methods using the Apex REST annotations should
therefore take care that they are not inadvertently exposing any sensitive data.
Apex class methods that are exposed through the Apex REST API don't enforce object
permissions and field-level security by default. We recommend that you make use of the
appropriate object or field describe result methods to check the current user’s access
level on the objects and fields that the Apex REST API method is accessing. See
DescribeSObjectResult Class and DescribeFieldResult Class.
Also, sharing rules (record-level access) are enforced only when declaring a class
with the with sharing keyword. This requirement applies
to all Apex classes, including to classes that are exposed through Apex REST API. To enforce sharing rules
for Apex REST API methods, declare
the class that contains these methods with the with
sharing keyword. See Using the with sharing or without
sharing Keywords.