function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
jameskCAjameskCA 

Permission issue on Apex deleting attachments from opportunity

I recently ran into an Apex unexpected exception error that I believe is related to permissions related to deleting attachments.  The process is, when an opportunity is set to a certain stage (converted to project) it creates a project and, among other things, moves all the attachments from the opportunity to the project via Apex and then deletes the attachments from the opportunity.

Here is the error in the debug log:

11:34:10.365 (2365851365)|DML_BEGIN|[98]|Op:Delete|Type:Attachment|Rows:5 11:34:10.365 (2365868983)|LIMIT_USAGE|[98]|DML|3|150 11:34:10.365 (2365882912)|LIMIT_USAGE|[98]|DML_ROWS|11|10000 11:34:10.365 (2365901258)|HEAP_ALLOCATE|[EXTERNAL]|Bytes:24 11:34:10.365 (2407602848)|DML_END|[98] 11:34:10.365 (2407856725)|EXCEPTION_THROWN|[98]|System.DmlException: Delete failed. First exception on row 0 with id 00P1C00003o9HWfUAM; first error: INSUFFICIENT_ACCESS_OR_READONLY, insufficient access rights on object id: [] 11:34:10.365 (2408457394)|HEAP_ALLOCATE|[98]|Bytes:161 11:34:10.365 (2408509370)|METHOD_EXIT|[71]|01p15000007Y5uA|ProjectTriggerHandler.bulkAfter() 11:34:10.365 (2408531750)|METHOD_EXIT|[27]|01p15000007Y5uD|TriggerFactory.execute(ITrigger) 11:34:10.365 (2408544364)|SYSTEM_MODE_EXIT|false 11:34:10.365 (2408558460)|METHOD_EXIT|[3]|01p15000007Y5uD|TriggerFactory.createHandler(Schema.SObjectType) 11:34:10.365 (2409077931)|FATAL_ERROR|System.DmlException: Delete failed. First exception on row 0 with id 00P1C00003o9HWfUAM; first error: INSUFFICIENT_ACCESS_OR_READONLY, insufficient access rights on object id: [] Class.ProjectTriggerHandler.bulkAfter: line 98, column 1 Class.TriggerFactory.execute: line 71, column 1 Class.TriggerFactory.createHandler: line 27, column 1 Trigger.ProjectTrigger: line 3, column 1 11:34:10.365 (2409210634)|FATAL_ERROR|System.DmlException: Delete failed. First exception on row 0 with id 00P1C00003o9HWfUAM; first error: INSUFFICIENT_ACCESS_OR_READONLY, insufficient access rights on object id: []

The id in the error is for an attachment on the opportunity.  

I'm not a developer but am managing this salesforce instance.  My understanding was that Apex ran as at a system privilege level but the error makes it seem like the DML statement is running with the user permission of the user that saves the record.  Is there a way to make it so this particular Apex trigger runs with elevated privileges so we don't need to give this user more privileges or change the role hierarchy?  
 
jameskCAjameskCA
Here is what I believe is the code causing the error:
if(opportunityAttachments.size()>0){
                    
                    List<Attachment> newAttachment = new List<Attachment>();
                    List<Attachment> deleteAttachment = new List<Attachment>();
                    Attachment tempAttachment;
                    
                    //Loop through all returned Attachment records
                    for(Attachment a : opportunityAttachments)
                    {
                        //Determine if the current Attachment is associated to one of our Opportunites within our opportunityToProjectMap
                        if(opportunityToProjectMap.containsKey(a.ParentId)){
                            System.debug('----->Attachment current ParentId = ' + a.ParentId);
                            
                            tempAttachment = a.clone(false,false);
							tempAttachment.ParentId = opportunityToProjectMap.get(a.ParentId);  // move it to a Project
							tempAttachment.OwnerId = UserInfo.getUserId();
                            System.debug('----->New Attachment ParentId = ' + tempAttachment.ParentId);
                            newAttachment.add(tempAttachment);
                            deleteAttachment.add(a);                            
                        }
                    }
                    
                    if(newAttachment.size() >0){
                        insert newAttachment;
                    } 
                    if(deleteAttachment.size() >0){
                        delete deleteAttachment;
                    } 
                }

 
ShikibuShikibu
Your apex code needs to be "without sharing (https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_classes_keywords_sharing.htm?search_text=without%20sharing)". But may I suggest that you are pretty much over your head here? You won't be able to edit apex code in production. A developer would need to make this change, test it, and deploy it from a sandbox or scratch org to your production org.
jameskCAjameskCA
Thanks for the info.  I'm not a developer but I'm updated a lot of apex code so I'm familiar with the process of deploying from a sandbox.  I'll take a look at the links you sent and most likely work with a developer to get this fixed.