+ Start a Discussion
Mike SummittMike Summitt 

How can I code a class to have permission to add and delete contacts when the invoking user doesn't, and not use “without sharing”?

How can I code a class so that it will have permission to add and delete contact objects, even when the invoking user doesn't, and not use "without sharing" (SalesForce security review won't allow it)?

The class is an entry point in a managed package, and must pass security review, so "without sharing" is not allowed, neither is omitting the sharing clause. The class sends emails using templates, which requires each addressee to have a Contact object. Therefore, it must create temporary Contact objects and then delete them after the email is sent.
Virendra Singh NarukaVirendra Singh Naruka
Hi Mike,
Try using future method.
 
NagendraNagendra (Salesforce Developers) 
Hi Mike,

Salesforce Security Office hours might throw more lights here but I have seen apps where if it is a valid business scenario like your's then you can use without sharing and add into the false positive document and documenting the code on why you needed this to exempt CRUD/FLS should pass the review (You need to get a confirmation from security review team via office hours)

One more option is to create a separate Custom Object (or Custom Setting) to store delete requests, and then create a recurring job to check for them and perform the delete. Then you can run the recurring job as a User who has delete permissions, but other users can still make the request. You could even build an Approval Process around them if you wish.

Kindly mark this post as solved if the information help's so that it gets removed from the unanswered queue and becomes a proper solution which results in helping others who are really in need of it.

Best Regards,
Nagendra.P