function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
Ranu JainRanu Jain 

Able to update record without having update permission by apex code.



I have created a VF page - test-ranu,controller - test_ranu

code is here - 

<apex:page controller="test_ranu">
<apex:form >
  <apex:pageblock >
  <apex:outputPanel id="op">****{!**bleep**s }</apex:outputPanel>
    <apex:pageblockButtons >
      <apex:commandButton value="done" action="{!done}" reRender="op"/>

public with sharing class test_ranu {
  Apttus__APTS_Agreement__c  agg;
  public boolean **bleep**s {get;set;}
  public  test_ranu () {
    agg = [select id from Apttus__APTS_Agreement__c where id =     'a3SV0000000c614' limit 1];
  public void done() {
    try {
      agg .Apts_Legal_Review_Flag__c = true;
      update agg;
      if( Schema.sObjectType.Apttus__APTS_Agreement__c.isUpdateable()   )
      **bleep**s  = true;
    }catch(Exception e) {
  }//end of method

}//end of class



User - Su om (Not system admin), permission on profile - No access on Agreement Object

Created a permission and assign permissions -  Read, Create.  (On Agreement object)

Assigned this permission set to this user.


There is no sharing for this object.


when I check for Isupdateable - its give me 'false' for this user.

But when I click on dene button record is udpdated successfully and no exception come on update.


I tested for both 'With Sharing'  and 'Without Sharing' . I found same behaviour.


Please help.



Best Answer chosen by Admin (Salesforce Developers) 
As this is a custom controller, it runs with the permissions of the system user. The with/without sharing simply controls visibility of records, not the permissions that apply once you have access to a record.

Here's a link to the docs for this: