Skip to main content

Code reviews rule: Apex User Registration Without Limit

Written by David Martin
Updated this week

Apex User Registration Without Limit

Why is this an issue?

When User record creation (insert or upsert on User objects) is unconditionally accessible from external entry points like @AuraEnabled or @RestResource methods, attackers could abuse this to:

  • Create unlimited user accounts: Potentially exhausting your org's user license allocation

  • Denial of service: Flooding your org with user records

  • License cost escalation: Creating users that consume paid licenses

This rule detects User creation operations that are reachable from external entry points without any conditional guards.

Examples

Example of incorrect code:

public class UserRegistration {
    @AuraEnabled
    public static void registerUser(String username, String email) {
        User u = new User(
            Email = email,
            Username = username
        );
        insert u;
    }
}

Example of correct code:

public class UserRegistration {
    @AuraEnabled
    public static void registerUser(String username, String email) {
        // Validate registration is allowed
        if (!isRegistrationEnabled()) {
            throw new AuraHandledException('Registration is currently disabled');
        }

        // Rate limit check
        if (hasExceededRegistrationLimit()) {
            throw new AuraHandledException('Registration limit exceeded');
        }

        User u = new User(
            Email = email,
            Username = username
        );
        insert u;
    }

    private static Boolean isRegistrationEnabled() {
        return Custom_Settings__c.getInstance().Enable_Registration__c;
    }

    private static Boolean hasExceededRegistrationLimit() {
        // Implement rate limiting logic
        return false;
    }
}

How can I fix violations?

Add appropriate guards before User creation operations:

  1. Authorization check: Verify the caller has permission to create users

  2. Rate limiting: Implement limits on how many users can be created in a time period

  3. Feature flag: Use a custom setting to enable/disable self-registration

  4. CAPTCHA or verification: Require human verification before user creation

When should I disable this rule?

You may want to dismiss this issue if:

  • The user creation is protected by other mechanisms not visible to the rule (e.g., Flow-level validation)

  • You have implemented rate limiting at the network or platform level

  • The endpoint is only accessible to authenticated administrators

Resources

Related Articles
Code reviews rule: Undocumented Apex methods
Code reviews rule: Apex CRUD/FLS
Code reviews rule: Apex Send Email Restriction
Code reviews rule: Incorrect sharing clauses
Code reviews rule: User password set programmatically
Did this answer your question?