I want to know what level of CRUD access the current user has on a particular record. In other words, can this user read, update and/or delete this record. On the surface this seems like it should be simple using Apex. However I'm at a loss.
This is particularly painful because the UI gives me the answer. Go to a Record Detail page, click Sharing, click Expand List. Voila! A complete list of users that have access to that record, and what that access is.
So what's the best way to achieve this programmatically?
At least 3 things to consider:
1) Profile Permissions. This part is simple. The sObject's various Describe Result methods tell me whether a User's Profile permits him to read (isAccessible()) or update (isUpdatable()) or delete (isDeletable()) records of this object type. This is a top-level check. It doesn't address this particular record, just records of this type.
2) Record ownership. If 1) is satisfied, and the current user is the owner of this particular record, all CRUD operations should be available
3) Managed and Manual Sharing. **Here's where I'm having trouble.** Is there a simple way to discover if this record is shared with this user and with what level of access? The sharing information for a record can be found by querying its equivalent Share object (AccountShare is the sharing object for the Account object). But if a sharing rule is defined on a Role (or Role plus subordinates), you cannot see all users given access by that rule! As far as I can tell, you must:
a) query the Share object's userOrGroupId column
b) figure out if that Id is a User, Group or Role
c) If it's a Role, query the groups table to find all users in that role
d) If it's a Role, use recursive logic to find all users above that role in the role heirarchy
e) If it's a Role and the sharing applies to this Role *and subordinates*, use recursive logic to find all users subordinate to that role in the role heirarchy
I like the promise of destructiveChanges.xml (you can finally remove object fields, triggers, etc. as part of your build) but it is unusable for our org. Including this file renders the build not re-runnable...in other words, it breaks the build after one run in the same environment!
If you run it once, great, the elements are deleted. But if you run it a second time you get errors similar to these:
BUILD FAILED
build.xml:62: Failures:
objects/Contract.object(Contract.SetContractToExpired):In field: name - no WebLink named Contract.SetContractToExpired found
objects/Contract.object(Contract.SetContractToCanceled):In field: name - no WebLink named Contract.SetContractToCanceled found
objects/Contract.object(Contract.SetContractToPaused):In field: name - no WebLink named Contract.SetContractToPaused found
The build fails when these elements are not found. But they are not found because they were deleted in a prior run! The build should not fail if elements to be deleted are not found. It should either issue warnings or completely ignore, but it definitely should not fail.
If this file is included in source control, you will have problems using a continuous integration tool like hudson or cruisecontrol. You will have problems running the build twice in the same environment. You will have problems maintaining the file across a team of developers, some of whom have built using the latest destructiveChagnes.xml and some who haven't.
As I'm writing this I realize I should post this on the Ideas board, but I'll post here in case someone has figured out a workaround for this and would like to share.
In the meantime we are going to continue to delete elements manually through the UI of every sandbox and production environment, ugh.
I want to know what level of CRUD access the current user has on a particular record. In other words, can this user read, update and/or delete this record. On the surface this seems like it should be simple using Apex. However I'm at a loss.
This is particularly painful because the UI gives me the answer. Go to a Record Detail page, click Sharing, click Expand List. Voila! A complete list of users that have access to that record, and what that access is.
So what's the best way to achieve this programmatically?
At least 3 things to consider:
1) Profile Permissions. This part is simple. The sObject's various Describe Result methods tell me whether a User's Profile permits him to read (isAccessible()) or update (isUpdatable()) or delete (isDeletable()) records of this object type. This is a top-level check. It doesn't address this particular record, just records of this type.
2) Record ownership. If 1) is satisfied, and the current user is the owner of this particular record, all CRUD operations should be available
3) Managed and Manual Sharing. **Here's where I'm having trouble.** Is there a simple way to discover if this record is shared with this user and with what level of access? The sharing information for a record can be found by querying its equivalent Share object (AccountShare is the sharing object for the Account object). But if a sharing rule is defined on a Role (or Role plus subordinates), you cannot see all users given access by that rule! As far as I can tell, you must:
a) query the Share object's userOrGroupId column
b) figure out if that Id is a User, Group or Role
c) If it's a Role, query the groups table to find all users in that role
d) If it's a Role, use recursive logic to find all users above that role in the role heirarchy
e) If it's a Role and the sharing applies to this Role *and subordinates*, use recursive logic to find all users subordinate to that role in the role heirarchy
I have created some batch apex code alongwith other triggers and class/controller codes.
When I run individual test methods on them, I am able to get test success result alongwith nice code coverage %. However when I run all tests together, I get following test failure errors:-
1)System.AsyncException: Database.executeBatch cannot be called from a batch or
future method.
2)System.AsyncException: Future method cannot be called from a future method:
changeOwners(String, String)
3)System.AsyncException: Future method cannot be called from a future method:
getLead_Rollup_Amount(Id)
4)System.AsyncException: Future method cannot be called from a future method:
changeOwners(String, String)
Please note again that the exceptions dont come when tested individually.
I like the promise of destructiveChanges.xml (you can finally remove object fields, triggers, etc. as part of your build) but it is unusable for our org. Including this file renders the build not re-runnable...in other words, it breaks the build after one run in the same environment!
If you run it once, great, the elements are deleted. But if you run it a second time you get errors similar to these:
BUILD FAILED
build.xml:62: Failures:
objects/Contract.object(Contract.SetContractToExpired):In field: name - no WebLink named Contract.SetContractToExpired found
objects/Contract.object(Contract.SetContractToCanceled):In field: name - no WebLink named Contract.SetContractToCanceled found
objects/Contract.object(Contract.SetContractToPaused):In field: name - no WebLink named Contract.SetContractToPaused found
The build fails when these elements are not found. But they are not found because they were deleted in a prior run! The build should not fail if elements to be deleted are not found. It should either issue warnings or completely ignore, but it definitely should not fail.
If this file is included in source control, you will have problems using a continuous integration tool like hudson or cruisecontrol. You will have problems running the build twice in the same environment. You will have problems maintaining the file across a team of developers, some of whom have built using the latest destructiveChagnes.xml and some who haven't.
As I'm writing this I realize I should post this on the Ideas board, but I'll post here in case someone has figured out a workaround for this and would like to share.
In the meantime we are going to continue to delete elements manually through the UI of every sandbox and production environment, ugh.
I have a very simple Batch class and I am trying to write a unit test to cover it but the execute method in this batch class is never executing. I'm stumped.
Batch Class:
global class ideaCleanBatch implements Database.Batchable<sObject>{
global Database.QueryLocator start(Database.BatchableContext bc){ //We want to process all Ideas return Database.getQueryLocator('select Id from Idea'); }
global void execute(Database.BatchableContext bc, List<sObject> objects){ Set<Id> ideaIds = new Set<Id>(); for(sObject s : objects){ Idea i = (Idea)s; ideaIds.add(i.Id); } //Send ideas to ideaClean for processing ideaClean.recalcNumbers(ideaIds); }
global void finish(Database.BatchableContext bc){ system.debug('All done.'); } }
Test Method:
static testMethod void ideaBatchTest(){ List<Idea> ideas = new List<Idea>(); Id communityId = [select Id from Community limit 1].Id; for(Integer i = 0; i < 200; i++){ ideas.add(new Idea(Title = 'myIdea' + i, CommunityId = communityId)); } insert ideas;
Test.startTest(); ideaCleanBatch job = new ideaCleanBatch(); ID batchprocessid = Database.executeBatch(job); Test.stopTest(); }
I am having 5 profiles in my developer account lets say profile 1, profile 2,..........profile 5.
I have given read, write permission for profile 1 on account object and only read permission for all other profiles from 2 to 5.
So that profile 1 user can able to add notes & attachments on account, others wont since they dont have the edit permission on accounts.
But profile 2 user need to add notes and attachments for an account. If i give edit permission for him, he will get edit permission for all other items in accounts. I want to give him access only to create notes and attachments.
