I am using force.com sites with VF page and apex controller. In class I am doing update dml operation based on Field Level Security check on fields using [objectName].fields.getMap().get([fieldApiName]).getDescribe().isUpdateable(). This statement is returning false always even though guest user profile has Edit access on fields.
Removing this if check is a option for now although I am wondering if there is any existing limitation to use this check. Any insights are appreciated.
Thank you
Salesforce removed the update permission from Guest users a while ago.
Documentation
Guest users can’t have more than read access to data
Guest users can’t have the update or delete permissions on objects. Guest users can only update or delete records in System Mode.
If Guest user profile has create permission on object and edit permission on field, isCreateable() will return true, but since the profile lacks the update permission isUpdateable() will return false
Related
I have roles hierarchy in place.
the new requirement is to set up permission to specific external users so they will not be able to see other users records.
the sharing setting for the object is set to Private. I cannot create a user without a role. Other users should be able to see other users (in their role) records. but only this few users should be able to see only records they own.
any idea how to solve it?
thanks,
Chen
I hope you're fine, this is my first question and I really don't know where to start from, so here it is,
I've been trying to build a sample with Microsoft Web api Template where I have to authorize users based on roles for example "Admin, Moderators, etc..." so, the thing is the I don't want to put all those roles on the top of the controller like
[Authorize ( Roles ="Admin, Moderators, etc...")]
I see this as not a good practice because What happens if I create another role in my db? I will have to modify the controller to add the new Role xD, really bad, isn't it? so the question is. How to extend some class like AuthorizeFilter to get the roles from database and validate with the controller? I mean if there is a user who is in the role admin authorize it and viceversa?
the other question is How to build a great authorzationfilter which can manage something like if a user if in Moderator Role but the only right he has is to user the Create action in the controller?
I hope you can help me with an example...
Thanks in advance
Ps. Sorry for my english
I agree role based authorization is somehow limited and authorize attribute is a bit rigid.
In some scenarios role based authorization is not enough, you need to extend it. You can introduce the permission concept. Instead of be a requirement that you have to be a member of a specific role to execute an action, you could state that to be authorized to execute an action you need a specific permission. So instead of authorize attribute you use RequiredPermisionAttribute. Of course you need to write RequiredPermissionAttribute as an authorization filter.
In the database you have the Permissions Table, the RolesTable, the RolePermissions table and UsersInRole table.
So a user can be a member of one or more roles. A role can have one or more permissions. A user has a specific permission if he/she is a memeber of a role that has that permission.
The required permission filter checks if the logged in user is a member of a role that has the permission, if not, then returns 401 not authorized.
This is a more flexible approach, actions are not tied to roles and roles don't have a fixed number of permissions.
How to give the User permission in winform?
For Example
My application is based on retail shops,so the every employee having username and password,the Super Admin(Manager) he needs to give the permission to each user
NOT all employees have the full rights to access all the forms.
In each forms they have to access only selected controls only
for ex. User x have permission only for ADD and Edit only, but not To delete the record.
The User x not suppose enter discount more than 25%
The Super Admin Have the permission to allow access to every employee.
In this I need some logic references
may grateful.
As Somewhere Mentioned above you need a role based architecture.
In your database Of users you should include role column.
At the time of user log in you have to get role of of the user having particular
user name and password and store in some global static variable which can be used throughout
application.
And according to role,set visibility true or false for each form on form load method.
you should develop a Role-Base windows application. This tutorial describe what you need
i hope it helps you
When logged in as a standard user, an attempt to update a Salesforce field fails with the following:
HTTP response error code 400 (Bad Request).
The body of the response has:
{"message"=>"insufficient access rights on cross-reference id", "errorCode"=>"INSUFFICIENT_ACCESS"}
Attempting the update with Admin privileges succeeds. So, are standard users not allowed to update records? Is there a role definition that allows update on records that the user has access to in the Salesforce application?
Thanks,
standard users can update records that have edit rights to, check their profile settings, and make sure they have access to both the record you're trying to edit, and the record they are trying to reference.
On the Profile page in Salesforce, there's an permission checkbox for Mass Email. How can I query this value using Apex?
The Profile object has a bunch of fields named like PermissionXXX that indicate whether a profile has a certain permission. I just checked, and in my org, I don't see a permission field for mass emailing. So either my org doesn't have this feature (I dont' think this is the case), or more likely, salesforce chose not to expose this permission on the Permission object. If the latter is true, there may not be a way to check, other than try/catch, which you could treat as a permission check.
http://www.salesforce.com/us/developer/docs/apexcode/Content/apex_gov_limits.htm
There is a section email limts in the above page and it specifies all your mits for mass email and individual email.