Apex Code Development You need to sign in to do that
Don't have an account?
rohit.mehta "With Sharing" keyword has no effect
Hello,
I have a custom VF page and controller. The controller is declared as
public with sharing class MyCustomController {
The user accessing this page is a Partner user and does not have "Edit" Permissions on Leads but is still able to assign leads to other users.
I also tried assigning leads to a user who does not have "Read" permission on leads and that also surprising worked.
As per my understanding if I declare the class with the "with sharing" keyword, it should take into account the user permission.
Can someone explain why the "with sharing" is not having any effect.
Thanks,
Rohit
Moved to the Apex discussion board as this is not unique to Visualforce.
What you are talking about is object permission not sharing. "With Sharing" applies the sharing rules so a user can not see or modify records that they would not be able to otherwise according to their role/sharing rules and does not consider accessibility to the object itself.
If you want to check a user's access to an object before performing the action. The describe result for the object (and fields) provides an isAccessible() method to check for the runtime user's Read access. Here you seem to be looking for editability on lead which would look like this:
Boolean hasEditAccessToLead = Schema.SobjectType.Account.isUpdateable();
The other thing you can do, which is specific to Visualforce is leverage the inputField component to bind to lead.owner which will enforce object and field permissions, i.e. in this case the following binding would just show the read-only current value of the owner's name for a user without edit rights to the Lead object:
<apex:page controller="editleadownercon">
<apex:sectionHeader title="Lead owner change" subtitle="{!lead.name}"/>
<apex:form >
<apex:pageBlock >
<apex:pageBlockSection >
<apex:inputField value="{!lead.ownerid}"/>
</apex:pageBlockSection>
</apex:pageBlock>
</apex:form>
</apex:page>
public class editleadownercon {
public editleadownercon() {
lead = [select ownerId, name from lead limit 1];
}
public Lead lead { get; set; }
}
If this is only a Visualforce issue you can also leverage the $ObjectType global within the page to get the same describe information as noted above in apex. So let's say you wanted to bind to a String or Id, call it ownerId you could do this:
<apex:inputText value="{!ownerId}" disabled="{!NOT($ObjectType.Lead.updateable})"/>
Thanks Andrew.
Cleared my misunderstanding on 'with sharing'.
-Rohit
Andrew,
As in the example of changing the ownerId. Is there a way to check the permission of the new owner?
All documentation points to access of the current user and I was not able to see anything for checking access of a specific user.
Thanks,
Rohit
No, there is no way to inspect the permissions/access of another user. Is your concern about the receiving user having read access to the object?
Andrew,
Thanks for the reply.
Yes...The concern is that the new owner should have at read access on the object. Is there a way to check this?
Thanks
Rohit
I believe the $ObjectType.object.updatable returns true if the current user has permission to update object. In other words "Object Level Security". But it is often the case that a user has permission, in general, to edit an object but they lack sufficient permission to edit a specify instance of an object.
Take for instance CaseComment. If you are the creator of a CaseComment (or have modify all priviedges) then you can edit it. But if the CaseComment was created by another user then you won't be able edit it.
How can we determine row level or record level priveldges?
may i knw what is the difference between WITHSHARING AND WITHOUT SHARING
"Using the WITH SHARING or WITHOUT SHARING Keywords" in the Apex Language Reference