[SalesForce] Sample test for testing FLS/CRUD

I'm trying to understand FLS/CRUD permissions using a simple test. I have created a user and assigned a no-update,no-delete,no-create permission set on that. In my test I'm trying to run as this new user, but I still see that the object gets updated and the field is updateable. Am I missing something here?

Here is the code:

@isTest
   public class sampletest {

    static User createuser(){
        String username = 'testUser';
        Profile p = [SELECT Id FROM Profile WHERE Name='Standard User'];
        User newuser = new User(Alias = username, Email='u1@testorg.com',
                                EmailEncodingKey='UTF-8',lastname='Testing',
                                LanguageLocaleKey='en_US',LocaleSidKey='en_US',
                                ProfileId = p.Id,  Country='United States',
                                TimeZoneSidKey='America/Los_Angeles', UserName=username
                                + Datetime.now().hour() + Datetime.now().minute()
                                + Datetime.now().second() +'@testorg.com');
        insert newuser;
        system.debug('Creating user: ' + newuser.id);
        assignObjectPermission(newUser,'Lead',false,false,false); 
        return newuser;
    }

    static testmethod void method1(){
        User newuser = createUser();
        System.runAs(newuser){
            Lead newlead = new Lead(LastName='Some', Company='XYZ');
            insert newlead;

            Lead lead = [Select name from Lead Limit 1];
            String[] strfields = new String[] {'Company', 'FirstName'};  
            SobjectType objType = Lead.getSobjectType();
            Map<String, Schema.SObjectField> fields = objType.getDescribe().fields.getMap();
            system.debug('Fields: ' + fields );

            for (String strfield : strfields) {
                if(fields.get(strfield).getDescribe().isUpdateable()){
                    system.debug('Field ' + strfield + ' is updateable');
                }   
            }
            upsert lead;
        }        
    }

    private static void assignObjectPermission(User u, String objectType, Boolean create, Boolean edit, Boolean remove){
        PermissionSet ps = new PermissionSet(Name = 'Enable' + objectType, Label = 'Enable ' + objectType);
        insert ps;                                  

        ObjectPermissions oPerm = new ObjectPermissions(ParentId = ps.Id,
            PermissionsRead = true,
            PermissionsCreate = create,
            PermissionsEdit = edit,
            PermissionsDelete = remove,
            SObjectType = objectType);

        insert oPerm;
        system.debug('permission: ' + oPerm);

        PermissionSetAssignment assign = new PermissionSetAssignment(AssigneeId = u.Id, PermissionSetId = ps.Id);                       
        insert assign; 
        system.debug('assign: ' + assign);
    }   
}

I see the following logs and upsert is successful:

20:20:46:838 USER_DEBUG [34]|DEBUG|Field FirstName is updateable
20:20:46:838 USER_DEBUG [34]|DEBUG|Field Company is updateable

Best Answer

"Standard User" is the profile which you have assigned to your user.

And if we check lead permission on that then

We found that they already have create and update permission for lead. Using permission set we can't restrict user's permission we can only enhance them.

So if your permission set doesn't allow the lead reate and update still user can update it because there profile allow to do so. If you want to check this then first remove this permission from there profile and then test it.

You can read in more detail about permission set in given reference.

Permission Set Reference

Related Solutions

[SalesForce] CRUD and FLS enforcement

Yes its of course possible you can do it in two ways (which essentialy are the same)

Schema.sObjectType.Account.isUpdateable()

and

Account.sObjectType.getDescribe().isUpdateable()

if (!Schema.sObjectType.Account.fields.Name.isUpdateable() &&
    !Schema.sObjectType.Account.fields.BillingStreet.isUpdateable() ){
        update acc; }

That will check actually even 3 things

Edit access to Name field
Edit access to BillingStreet field
Edit access to Account itself

This will check Name and Account access

Also remember about with sharing and without sharing for class

With sharing checks if the user have access (read, read/write, none) to a RECORD and not object itself. So even if user have access to edit fields/object but doesnt have access to record, that user wont be able to edit record.

There are of course cases when user have view all/modify all on object or view all data/modify all data (system admins).

Without sharing ommits that restrictions but it needs to be used only when you have that kinda specific requirement

[SalesForce] Security Review – CRUD/FLS Checks for every SOQL Query

You don't need to check every field that you query. The issue really boils down to who manages security for the field -- your app or the admin. With standard objects, the answer is always the admin. With custom objects, it depends on whether the field is user visible and is used by users or whether it is internal and used only by your app. Things like wizard state, Auth state, etc.

The standard example would be something like an app that manages contracts. The text of the contract would be managed by the admin, but something like contract state would be managed by your app.

Because this is fundamentally ambiguous, you can make a false positive document outlining which fields are managed by your app and which are not. The worst thing to do is nothing and let the tester try to guess, as they might not have much time to go through your app and may not understand your app well enough to correctly classify this on their own. So a lot of this is up to you in making the case that you own some objects and not the admin.

Once you have the list of fields you need to check perms for, it doesn't matter whether they are used in WHERE clauses or directly accessed -- you need to make sure that the perms are checked. You can use the ESAPI API which contains helper functions such as updateAsUser(), you can write your own helper functions, or you can do checks centrally in your controller.

Triggers run after other code or the UI already allows an operation, so the trigger wouldn't fire if the user didn't have permission already, assuming all the upstream checks are made when necessary. Therefore triggers that only update the object being modified generally don't need a check, the issue is if the the trigger modifies some other object, in which case you do need to do the check if the object is managed by the admin.

For background/async/scheduled jobs, there is absolutely no difference in security requirements for async apex versus synchronous apex. Whether you do an operation synchronously or not has nothing to do with whether the admin's policies need to be respected. The same concerns apply as above -- do the check if you don't own the object and don't do it if you do.

One thing to keep in mind here is that unlike sharing, you generally control the profiles and permission sets of your users as you can package these with your app. So package the permissions so that your checks always return true. Then, if your checks return false, it means that the admin assigned a different perm set or changed the perm set assignment for a user of your app, which is something that should generally result in a failure message. There may be situations in which the app should not work for a user -- say the admin removed some perms from that user, but due to not having deep knowledge of how your app works, did not remove that user from your app. Making these checks is exactly for this type of conflict situation, and generally you want to stop processing with an error message and let the admin resolve the inconsistency at the perm level, rather than trying to guess what the admin would want to do and then override the org perms. This is because if every app overrode the org perms, then the admin wouldn't be able to manage permissions centrally anymore.

Best Answer

Related Solutions

[SalesForce] CRUD and FLS enforcement

[SalesForce] Security Review – CRUD/FLS Checks for every SOQL Query

Related Topic