在 Salesforce Apex WebService 上强制执行的权限
阅读此花絮后,似乎当前用户的许可是无关紧要的。但是,当以除具有管理员配置文件的用户以外的任何人身份调用此方法时,它会引发 INSUFFICIENT_ACCESS_ON_CROSS_REFERENCE_ENTITY 异常:
global without sharing class OpportunityTeamSales {
WebService static void AssignToSalesTeam(string userId, string opportunityId)
{
OpportunityTeamMember tm = new OpportunityTeamMember();
tm.OpportunityId = opportunityId;
tm.UserId = userId;
tm.TeamMemberRole = 'Sales Engineer';
insert tm;
}
}
具有显式 不共享 关键字的事件,它似乎正在强制执行字段-对象/子对象的安全/权限级别。 Opportunity 和 OpportunityTeamMember 是系统对象,我们无法编辑关系。
更新:
遇到错误的用户配置文件具有对 Opportunity 对象的读/写/修改权限,并且 OpportunityTeamMember 对象似乎没有具有特定的权限集。我们只是尝试创建一个 OpportunityTeamMember,用户对其查找目标拥有除“删除”之外的所有权限。
After reading this tidbit, it would seem that the current user's permission would be irrelevant. However when calling this method as anyone but a user with the Administrator profile, it throws an INSUFFICIENT_ACCESS_ON_CROSS_REFERENCE_ENTITY exception:
global without sharing class OpportunityTeamSales {
WebService static void AssignToSalesTeam(string userId, string opportunityId)
{
OpportunityTeamMember tm = new OpportunityTeamMember();
tm.OpportunityId = opportunityId;
tm.UserId = userId;
tm.TeamMemberRole = 'Sales Engineer';
insert tm;
}
}
Event with the explicit without sharing keywords, it appears to be enforcing field-level security/permissions to the object/child object. Opportunity and OpportunityTeamMember being system objects, we can't edit the relationship.
UPDATE:
The user profile that is encountering the error has read/write/modify permissions on the Opportunity object and the OpportunityTeamMember object does not appear to have a specific permission set. We're simply trying to create an OpportunityTeamMember, the lookup target of which the user has full permissions to with the exception of "delete."
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
不共享意味着该类不遵守共享规则,当对象的隐私设置设置为私有时,这些规则控制系统内记录的可见性。据我所知,这并不意味着对象级权限被覆盖,因此您仍然无法访问连接到用户无权访问的对象的查找字段,因此您在这里看到的错误。您需要将用户分配到有权访问这些对象的不同用户配置文件。编辑
假设您的用户确实拥有对对象所需的访问权限,我相信您还需要在用户的个人资料上检查“自定义应用程序”权限,以便他们能够修改销售团队。
without sharingmeans that the class doesn't respect sharing rules, the rules which govern visibility of records within the system when the privacy setting for an object is set toprivate. As far as I'm aware it does not mean that object-level permissions are overridden, and so you can still not access a lookup field which joins to an object the user does not have access to, hence the error you're seeing here. You'll need to assign the user to a different user profile which does have access to these objects.EDIT
Assuming your users do have the required access to the objects, I believe you also need the "Customize Application" permission checked on the user's profile for them to be able to modify sales teams.