function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
amar joshiamar joshi 

issues with permissions

Hi experts
 

i want to crearte a VF page that run with satadard salesforce permission create,read,edit,delete

so i m using the standard controller to enforce that permission so if user dont have edit permission so he can't edit


now my save method is form extension controller in which i m doing some validation check and then invoking the save method of standard controller.
(i m in inpression that if i invoke this method it will do all that standard salesforce permission because i m using standard controller )

 

 

public with sharing class oppoextension { public opportunity oppo; ApexPages.StandardController GstdController; // The extension constructor initializes the private member // variable acct by using the getRecord method from the standard // controller. public oppoextension(ApexPages.StandardController stdController) { GstdController = stdController; this.oppo= (opportunity)GstdController.getRecord(); } public pagereference mysave() { if(oppo.First_Name != 'amar') { oppo.adderror('Error'); } else { ApexPages.StandardController sc = new ApexPages.StandardController(stdController); PageReference pr = GstdController.save(); pageReference pv = GstdController.view(); return pv; } return null; } }

 



but i  cant experience the permissions that i assing to users like if user dont have edit permission can edit the data thro' VF

in related exercesis i found that in VF page it works in presentation layer ..means
if users dont have create,edit permission and  it hides the save buttons or your <apex:inputfield>
are prompts as <apex:ouputfield>

now come to my question i want to check some validation on my ectension controller's  save method that is i and also have to enforce tha permission of edit, create delete waht can i do??

 

Best Answer chosen by Admin (Salesforce Developers) 
mtbclimbermtbclimber

amar joshi wrote:

 

...

 

now my save method is form extension controller in which i m doing some validation check and then invoking the save method of standard controller.
(i m in inpression that if i invoke this method it will do all that standard salesforce permission because i m using standard controller )

 

...

 


 

Not the case.  Apex runs as system and the standardcontroller save action will not throw an error if the user doesn't have create/edit permissions respectively.

 

You'll need to add a check in the controller for the things you want to enforce CRUD for example:

 

 

public with sharing class oppoextension { public opportunity oppo; ApexPages.StandardController GstdController; // The extension constructor initializes the private member // variable acct by using the getRecord method from the standard // controller. public oppoextension(ApexPages.StandardController stdController) { GstdController = stdController; this.oppo= (opportunity)GstdController.getRecord(); } public pagereference mysave() { Schema.DescribeSobjectResult dsr = Opportunity.SObjectType.getDescribe(); if((oppo.id == null && !dsr.isCreateable()) || (oppo.id != null && !dsr.isUpdateable())) { ApexPages.addMessage(new ApexPages.Message(ApexPages.Severity.ERROR,'Insufficient Privileges')); } else if(oppo.name != 'amar') { oppo.adderror('Error'); } else { PageReference pr = GstdController.save(); return pr; } return null; } }

 

Of course you can also check for these conditions within your page to prevent the user from clicking on an edit or save button using the $ObjectType global which is essentially the path into the same methods from describesobjectresult you see above so you might do this in your page:

 

 

<apex:commandButton value="save" action="{!save}" rendered="{!$ObjectType.Opportunity.updateable}"/>

 

 You've already got the with sharing designation on your class so if the user doesn't have appropriate rights to the specific opportunity that is already taken care of though you might want to assure the user will see the message by using the pagereference returned from the standard save action (per the above example) rather than forcing the user to the view page of the opportunity after save. In the event the save is successful the user will be taken to the view page in most cases unless they came from another standard page in the application in the case where the page in question is used in an override situation.

 

Hope that helps.