+ Start a Discussion
JaggyJaggy 

System mode is not working as expected

Hi Guys,

 

I am using a custom controller attached to a VF page as follows:

public without sharing class AccountController {

    private final Account account;
    public AccountController() {
    account = [select id, name, site from Account where id =
    :ApexPages.currentPage().getParameters().get('id')];
    }
    public Account getAccount() {
    return account;
    }
    public PageReference save() {
    update account;
    return null;
    }
    
}

 

<apex:page controller="AccountController"> 
    {!account.name}
</apex:page>

 I've a profile Standard Employee which doesnt have read access to account and OWD for account is public read only. Now when i login as standard employee and opens vf page then no account name is displayed. According to me in system mode profile based permissions and FLS is not enforced. So what i am missing here?

Niket SFNiket SF

Hello Jagdeep,

I think when you login as another user then all the profile permissions will forced. That's why when you want to check any accessibility or visibility we logged in as a that specific user and we check the actual behaviour,

 

If there is any sharing rule who is giving access to the "Standard Employee"  it's not able to give you perfect result because your class is having "Without sharing" tag.

 

Thanks

Nik's

Skype name : Niket Chandane

JaggyJaggy

Nik,

 

Thanks for reply,

But I am not agreed with your answers. If system mode doest what user mode then whats the different between two. Also salesforce says following about system mode "

Use
custom controllers when you want your Visualforce page to run entirely in system mode, which does not enforce the profile-based
permissions and fi eld-level security of the current user."

Niket SFNiket SF

There is no guarantee that a class declared as with sharing doesn't call code that operates as without sharing. Class-level security is always still necessary.

 

Best luck. 

Nik

kibitzerkibitzer

Hi Jagdeep.

 

I haven't verified this, but I think the following is correct:

 

Your controller is returning the account object, but accessing the name is being done on the VisualForce page (outside of the controller) and is thus subject to sharing rules.

 

What you need to do is expose a property in your controller:

 

public string getAccountName() { return account.name; }

 

Then on your VisualForce page use {!AccountName}

 

In this case the name is being retrieved by the controller (which can bypass the sharing rules) - so it should work.

 

Dan