[SalesForce] How to check field accessiblity of a field that is related to the object being checked

While developing secure controller actions for a Lightning Component, I ran across an issue checking accessibility for an Account level attribute related a Contact.

For example:

Schema.SObjectType.Contact.fields.getMap().get('Account.My_custom_field__c').getDescribe().isAccessible()

The piece of code, get('Account.My_custom_field__c') returns null, and the code throws an exception. I understand why it is happening — the field it's trying to check is technically on the Account object, not the Contact object.

The way I have written my code is, I have an array of fields, which I later use to piece together a query. I loop over each field, check field accessibility, then if the field is accessible, I add to the queryable fields list.

Here's a full code example, and my current work-around:

// this list of fields are these that will be returned to the component
String[] selectableFields = new String[] { 'Id', 'Name', 'Title', 'Email', 'Fax', 'Phone', 
    'HomePhone', 'MobilePhone', 'Account.My_custom_field__c', 'MailingStreet',
    'MailingCity', 'MailingState', 'MailingPostalCode' };        

Map<String, Schema.SObjectField> fieldMap = Schema.SObjectType.Contact.fields.getMap();
List<String> columns = new List<String>();
for(String field : selectableFields) {
    if(DEBUG) System.debug('Selectable field: ' + field);
    // it's not possible to check accessiblilty on second-level attributes, so just add it to the columns list
    if(field.contains('.')) {
        columns.add(field.trim());
        if(DEBUG) System.debug(' - unknown accessiblity due to second level attribute');                
    }
    else if(fieldMap.get(field).getDescribe().isAccessible()) {
        columns.add(field.trim());
        if(DEBUG) System.debug(' - accessible');
    }
    else {
        if(DEBUG) System.debug(' - inaccessible');
    }
}
// id will also be accessible if has access to object, so check if more than 1 column is accessible
if(columns.size() > 1) {
    // get the contact id from the the user's record
    String contactId = [select ContactId from user where id = :UserInfo.getUserId() limit 1][0].ContactId;  
    return Database.query('select ' + String.join(columns, ',') + ' from Contact where id = :contactId');
}
else {
    throw new AuraHandledException(NO_ACCESS_MESSAGE);
}

I'd like to avoid having to write if this else that style code to handle what I'm calling second-level attributes in the code above, but I don't see any way around it.

I realize I can just hard-code the Account.My_custom_field__c accessibility check, but I wanted to first see if there are any patterns or best practices to check for field accessibility that take multi-level attributes into account before I do.

Best Answer

I built out a system to do just that for a FluentQuery tool I was working on. Here's the relevant bit of the DescribeCache:

global class DescribeCache
{
    static final Map<SObjectType, Map<String, SObjectField>> fields =
        new Map<SObjectType, Map<String, SObjectField>>();

    global static SObjectField getField(SObjectType sObjectType, String fieldPath)
    {
        if (sObjectType == null || fieldPath == null) return null;
        if (!fields.containsKey(sObjectType))
            fields.put(sObjectType, sObjectType.getDescribe().fields.getMap());
        if (!fieldPath.contains('.')) return fields.get(sObjectType).get(fieldPath);

        Relationship relation = new Relationship(fieldPath.substringBefore('.'));
        SObjectField field = fields.get(sObjectType).get(relation.getFieldPath());
        if (field == null) return null;

        SObjectType parentType = field.getDescribe().getReferenceTo()[0];
        return getField(parentType, fieldPath.substringAfter('.'));
    }
    class Relationship
    {
        final String name;
        public Relationship(String name) { this.name = name; }
        public String getFieldPath()
        {
            if (name == null) return null;
            return name.endsWith('__r') ?
                name.replace('__r', '__c') : name + 'Id';
        }
    }
}

And the relevant bit of my Permissions class minus all the mocking:

// change to public static if this part is all you need
protected virtual Boolean canAccess(SObjectType sObjectType, String fieldPath)
{
    SObjectField field = DescribeCache.getField(sObjectType, fieldPath);
    return (field == null) ? false : field.getDescribe().isAccessible();
}

The library is open source. Feel free to pull whatever you need out and adjust for your own use.

Related Solutions

[SalesForce] Schema.getGlobalDescribe and “Invalid field LastReferencedDate for Account”

Force.com Platform Apex Versioning and Feature/Field Visibility

The platform (or more specifically Apex runtime) often (but not always) conditions the visibility of various features (including fields on objects) based on the API version (linked with platform version) associated with Apex code file containing the code being run. This way new features arriving on the platform don't break existing code, but it also means unless you upgrade the API version of your code it won't see new features/fields. This is driven by the -meta.xml file associated with your Apex and VF pages, also visible in the UI under Version Settings tab.

enter image description here

RE: Difference in behaviour in Execute Anonymous

When you run Apex code fragments this way, you have no containing Apex class or -meta.xml file. In this case the version of the Apex Web Service API being used to execute the Apex code governors the version of the Apex runtime your code runs in. I suspect your running your code in the Force.com IDE? Which likely uses a version of the Apex Web Service that pre-dates the introduction of this field (new for Summer'13). So try upgrading your Force.com IDE to resolve this. Note that if you use Developer Console to perform the same via its Execute Anonymous window, the code will work, as this is implicitly always on the latest platform version.

Resolving your Issue

Thus the first thing to check is that your using the latest API version in your code and VF files, I like to ensure they are all on the same version. The latest version, as of Summer'13 is API 28. This LastReferenced field was introduced in API 28, so use either of the two approaches to check and change your API version of your code and VF files.

Slight Oddity about your Issue

In theory the Apex Describe should return fields only supported by the API version the code making the describe calls supports. Thus you should reasonably expect to pass them to a SOQL query as well. What might be a platform bug here is the Apex Describe is surfacing the LastReferenced field incorrectly for older API Apex code, while the SOQL parser is correctly enforcing the perception that at that API level it didn't exist. Regardless updating to a new API version should resolve it, though if Apex Describe is "leaking" new fields regardless of the Apex callers API version this could reoccur. I'll do a little testing on this see if I can prove this assertion about a possible platform bug.

[SalesForce] Creating a new Task in Apex

First off, to debug this, I would take the VisualForce page out of the equation. That's what unit tests are for. Create a test class that inserts the necessary records (Accounts, Package information records...), exercises your controller and asserts that the tasks are created. Once you know your controller logic is working, creating the VF page is just markup and data binding.

I would also remove some code that, in my opinion, is a bit redundant and just complicates reading the code. Apologies if I sound pedantic (that is not my intention), but in the past I've seen many times how cleaning up your code makes bugs in the code more obvious to see.

For instance, you have a catch block that returns null, when the normal method exit point returns null. You instantiate a standard controller just to save a record... can't that be done with a simple update statement? Your saveChanges method could look like this:

public ApexPages.PageReference saveChanges(){
    for (Package_Information__c packs : accountPackages){
          try {
            sendTask();
            update packs;
          }
          catch(Exception e) {}
    }
    return null;
}

Incidentally, it might be worth adding a debug statement in that catch. Perhaps your code is ending there?

If you do this with all your code, there's fewer lines of code and fewer things to go wrong.

Having said that, my guess is that accountPackages.equals(accountPackagesClone) is evaluating to true and you're exit the statement. Is that funny debug statement (as highlighted by @brovasi) supposed to be the indicator that 'The clone equals the original'?

Best Answer

Related Solutions

[SalesForce] Schema.getGlobalDescribe and “Invalid field LastReferencedDate for Account”

[SalesForce] Creating a new Task in Apex

Related Topic