function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
Salesforce SolutionsSalesforce Solutions 

Why does this query for attachments "with sharing" return records the user cannot access?

Here is a simple Visualforce page controller, declared "with sharing", that queries for all attachments.

 

public with sharing class zTest2Controller {
 
    public List<Attachment> atms{
        get {
            if (atms == null) {
                atms = [SELECT ID, Name, BodyLength, ContentType, CreatedById,
                 CreatedDate, IsDeleted, IsPrivate,LastModifiedById,LastModifiedDate,OwnerId,Owner.Name,
                 ParentId, Parent.Name FROM Attachment LIMIT 2000];
            }
            return atms;
         }
    private set;
    }
    
 }

 

Here is a page that uses this controller:

 

<apex:page controller="zTest2Controller">

    <apex:pageBlock >
        <apex:pageBlockTable value="{!atms}" var="atm">  
            <apex:column headerValue="ID">  
              {!atm.ID}  
            </apex:column>  
            <apex:column headerValue="Name">  
               <apex:outputLink value="/{!atm.ID}">{!atm.Name}</apex:outputLink>
                
            </apex:column>  
            <apex:column headerValue="Parent Name">  
            <apex:outputLink value="/{!atm.ParentID}">{!atm.Parent.Name}</apex:outputLink>
            </apex:column>  
            <apex:column headerValue="Owner Name">  
              {!atm.Owner.Name}  
            </apex:column>  
        </apex:pageBlockTable> 
        
        <apex:outputText >{!atms.size} records</apex:outputText>  
    </apex:pageBlock>
</apex:page>

 

 

When I access this page as a test user who cannot see all of the attachments, they are still all displayed.


In one case I created a Test Profile that does not allow a user to see Opportunities, and a user with this profile still gets the attachments on Opportunities (even though the user cannot access the Opportunities or the attachments).
In another case, the user is a Platform user, but still is returned attachments that are not exposed to Platform users.

Is this expected behavior???

The documentation implies in one place that the use of "with sharing" will prevent these kinds of data leaks:
http://www.salesforce.com/us/developer/docs/apexcode/Content/pages_security_tips_data_access_control.htm

But in another places it seems to say that "with sharing" only enforces sharing rules, not permission sets or user profiles:

 

"Enforcing sharing rules by using the with sharing keyword doesn’t enforce the user's permissions and field-level security. Apex code always has access to all fields and objects in an organization, ensuring that code won’t fail to run because of hidden fields or objects for a user."