Salesforce Developer Security Crud


// Salesforce - Developer - Security - CRUD :

CRUD is short hand for Create Read Update Delete.

Salesforce profiles allow you to configure CRUD on standard and custom objects 
in the following ways:

1. Read – Users can view records
2. Create – Users can insert records (Includes Read)
3. Edit – Users can update records (Includes Read)
4. Delete – Users can delete records (Includes Read and Edit)
5. View All – Users can view all records, ignoring sharing.
6. Modify All – Users can read, edit, delete, transfer, and approve records, 
   ignoring sharing.

Visualforce runs in user context, but custom controllers run in system context. 
What is the expected behavior for CRUD?

1. Apex Classes will not enforce user CRUD permissions.
   a. Any object can be queried (READ)
   b. Insert(), Update(), and Delete() methods can be called.

2. Visualforce will enforce CRUD.
   a. An object will only be rendered if read is granted for that object.

3. Notable Exception – de-referenced objects do not have their crud enforced.

   a. {!contactEmail} = no crud enforced on contact
   b. {!contact.Email} = crud enforced on contact

Enforcing CRUD in Apex:

A user’s CRUD can be verified and enforced manually in Apex with minimal extra 
code, maintaining the integrity of any administrator defined permissions.

1. <sObject>.sObjectType.getDescribe()

   a. isCreateable()
   b. isAccessible()
   c. isUpdateable()
   d. isDeletable

public class MyController {
  public String getMyAccount {
    if (!Account.sObjectType.getDescribe().isAccessible()) {
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License