+ Start a Discussion
Ranu JainRanu Jain 

Able to update record without having update permission by apex code.

Hii,

 

I have created a VF page - test-ranu,controller - test_ranu

code is here - 

<apex:page controller="test_ranu">
<apex:form >
  <apex:pageblock >
  <apex:outputPanel id="op">****{!**bleep**s }</apex:outputPanel>
    <apex:pageblockButtons >
      <apex:commandButton value="done" action="{!done}" reRender="op"/>
    </apex:pageblockButtons> 
  </apex:pageblock>
</apex:form>
</apex:page>



public with sharing class test_ranu {
  Apttus__APTS_Agreement__c  agg;
  public boolean **bleep**s {get;set;}
  public  test_ranu () {
    agg = [select id from Apttus__APTS_Agreement__c where id =     'a3SV0000000c614' limit 1];
  
  }
  public void done() {
    try {
      agg .Apts_Legal_Review_Flag__c = true;
      system.debug('=========1');
      update agg;
      if( Schema.sObjectType.Apttus__APTS_Agreement__c.isUpdateable()   )
      **bleep**s  = true;
  
    }catch(Exception e) {
      system.debug('==============2'+e);
    }
  
  }//end of method

}//end of class

 

 

User - Su om (Not system admin), permission on profile - No access on Agreement Object

Created a permission and assign permissions -  Read, Create.  (On Agreement object)

Assigned this permission set to this user.

 

There is no sharing for this object.

 

when I check for Isupdateable - its give me 'false' for this user.

But when I click on dene button record is udpdated successfully and no exception come on update.

 

I tested for both 'With Sharing'  and 'Without Sharing' . I found same behaviour.

 

Please help.

 

 

Best Answer chosen by Admin (Salesforce Developers) 
bob_buzzardbob_buzzard
As this is a custom controller, it runs with the permissions of the system user. The with/without sharing simply controls visibility of records, not the permissions that apply once you have access to a record.

Here's a link to the docs for this:

http://www.salesforce.com/us/developer/docs/pages/Content/pages_controller_def.htm