SObjectType.getDescribe() or Schema.describeSObjects() do not correctly reflect the isAccessible, isCreateable, isDeletable, isUndeletable, isUpdateab
Trailblazer Community

SObjectType.getDescribe() or Schema.describeSObjects() do not correctly reflect the isAccessible, isCreateable, isDeletable, isUndeletable, isUpdateab

Apex , API , Platform , VisualForce , Eclipse IDE

Last updated 2018-12-18 ·Reference W-2616683 ·Reported By 128 users

Fixed - Winter '19

Summary
Calling SObjectType.getDescribe() or Schema.describeSObjects() in Apex does not correctly reflect the objects' isAccessible, isCreateable, isDeletable, isUndeletable, isUpdateable properties (they always return as true, even if the user's profile has no perms on that object).

This happens because when these calls are made from Apex, we run the code in System Mode (while VF doesn't use system mode to perform the checks).

Repro
1. Create a new user profile based on System Administrator

2. Edit this profile and remove "Standard Object Permissions" for any standard object (i.e.: Assets)
(once this happens this profile will also lose its "Author Apex perm", so we need to rely on visualforce to trigger the reproduction)

3. Create a new user and assign it to this profile

4. Create the following visualforce page for testing visualforce:

<!-- isAccessiblePageVF -->
<apex:page sidebar="false" showHeader="false" standardStylesheets="false">
<h1>Visualforce accessibility</h1>
Object accessible: {!$ObjectType['Asset'].accessible}
</apex:page>

5. Create the following controller and visualforce page for testing Apex:
public with sharing class isAccessiblePageApex{
public String getCheckObj() {
return String.valueOf(Schema.describeSObjects(new String[]{'Asset'})[0].isAccessible());
}
}

NOTE: the same behaviour takes place without sharing

<!-- isAccessiblePageApex -->
<apex:page sidebar="false" showHeader="false" standardStylesheets="false" controller="isAccessiblePageApex">
<h1>Apex accessibility</h1>
Object accessible: {!checkObj}
</apex:page>


6. Login as your new user
7. Visit your new visualforce page to see access level



-----

Note that while this issue is fixed in WInter '19, the change has been versioned to avoid breaking previously functional code. It is strongly advised that you upgrade your Apex class API version to opt-in to the corrected behavior.

Workaround
The workaround relies on performing the checks in a VF context. An Apex class creates a VF PageReference which in turn performs the check. All Apex needs to do is to check if the corresponding parameter was rendered as 'true' in VF.


Create a VF page:
<!-- testObjectPermissions -->
<apex:page sidebar="false" showHeader="false" contentType="plain/text" standardStylesheets="false">
<accessible>{!$ObjectType[$CurrentPage.parameters.obj].accessible}</accessible>
<createable>{!$ObjectType[$CurrentPage.parameters.obj].createable}</createable>
<deletable>{!$ObjectType[$CurrentPage.parameters.obj].deletable}</deletable>
<undeletable>{!$ObjectType[$CurrentPage.parameters.obj].undeletable}</undeletable>
<updateable>{!$ObjectType[$CurrentPage.parameters.obj].updateable}</updateable>
</apex:page>

Create this Apex class
public class CheckObjectPermissionsInVisualForce {
String results;

public CheckObjectPermissionsInVisualForce(String objectName) {
results = new PageReference('/apex/testObjectPermissions?obj=' + objectName).getContent().toString();
}

public Boolean isAccessible() {
return results.contains('<accessible>true</accessible>');
}

public Boolean isCreateable() {
return results.contains('<createable>true</createable>');
}

public Boolean isDeletable() {
return results.contains('<deletable>true</deletable>');
}

public Boolean isUndeletable() {
return results.contains('<undeletable>true</undeletable>');
}

public Boolean isUpdateable() {
return results.contains('<updateable>true</updateable>');
}
}

You can now use this Apex class to check if an object has the right permissions, as follows:
new CheckObjectPermissionsInVisualForce('Asset').isAccessible();

Reported By (128)

pratima shrivastav Prashant Gupta Konstantinos Vorilas Jeremie Robert Louis Bompart NIRANJAN PALLA Meryem Serraj Andaloussi SURYANARAYANA M D V Divya Chilakabathini Bogdan Pavlyk Adam Pruss Tier3 DC Keval Shah Varma Sridatla Krishna Venugopal OCE Admin Daniel Atieh Taylor Johnson Kalin Gilman renu kumar Jim Morrow Zhanar Utelbayeva Manish Goel Kashish Arora Ranganath HI Sriram Penkey Sriram Penkey Youchen Wu Srinivas Rudrappa Ernest Lessenger Puneet Lohia Piotr Prochenka Paul Allen Jesus Martinez Fernandez System Administrator Angel Luis Pinar Valerio Sevilla Angel Manuel Pelaez Rodríguez Margaret Martin Rahul Agrawal Sushil Kapoor Rishi Ojha Joey VanScoy Dishank Jain (Sops) Vaibhav Jain Lovejeet Singh (Sops) MANISH BABERWAL Lalit Mistry Trevor Stelmach Hiral Sawla Priyanka Kadam Sonal Vaidya Masaoud Moonim Martine Campagna dipankar barman Saurabh Kumar Nikhil Nag Koula Moutsos Rahul Rane Poonam Keswani Kishor Kumar Rajkumar Gaikwad Ankur Jaiswal Udayan Thakurdesai Kartik Shetty Jozua Haumann Rohit Patwardhan Gaurav Bhagwat Daniel Ballinger Sean Singer Neil Crawford Philip Faulconer Paul Perry Hayden Mcleod Marcel Meijer Akira Kuratani Antonio H. Christian Szandor Knapp Armin Felke Ross Goldberg OSF TEAM Ian Sidle Erik Myklestad James Brock Tiago Dantas Sebastian Schwarz Karthik P Doug Ayers Steve Frey Fabien Taillon Robert Sösemann Klaus Schgaguler Ivan Coppola BrightGen Admin Joshua Adams Jarrod Schumacher Ranjeeth Nagishetty Patrick Fordey Scott Fletcher Joseph Reale Andrew Trautmann Pallavi Raj Vinay Kulkarni Shri Mundada Ali Ranalvi 篤彦 木村 Nikola Fercek Dave Hahn Zackery Perryman Eric Johansen Mitchell Machor Yemi Olanbiwonnu Katelyn Montigney Katelyn McGovern Shawn Hepker Brent Gossett Kalyan Lanka Tom Fuda Chris Peterson David Esposito Vishnu Belkone Shankar Dupade Brian Wong Jean He Stewart Cameron Antika Abdallah-Grenon Peter Knolle Chris Caputo

Is it Fixed?

AP0 AP3 AP4 AP5 AP6 AP7 AP8 AP9 AP10 AP11 AP12 AP13 AP14 AP15 AP16 AP17 AP18 AP19 AP20 AP21 AP22 AP24 AP25 AP26 AP27 AP28 AUS1 AUS11 AUS2S AUS3 AUS4S AUS5 AUS6S AUS7 AUS9 CAN1 CAN2S CAN4S CS1 CS2 CS4 CS5 CS6 CS7 CS8 CS9 CS10 CS109 CS108 CS107 CS106 CS105 CS102 CS101 CS100 CS115 CS119 CS110 CS117 CS114 CS113 CS112 CS111 CS11 CS116 CS123 CS122 CS121 CS126 CS127 CS129 CS128 CS125 CS124 CS137 CS138 CS133 CS132 CS14 CS148 CS142 CS159 CS152 CS151 CS15 CS162 CS16 CS169 CS165 CS160 CS173 CS17 CS174 CS18 CS189 CS194 CS192 CS193 CS190 CS191 CS199 CS197 CS19 CS198 CS196 CS195 CS20 CS200 CS202 CS201 CS203 CS21 CS22 CS23 CS24 CS25 CS26 CS27 CS28 CS29 CS31 CS32 CS33 CS34 CS35 CS36 CS37 CS40 CS41 CS42 CS43 CS44 CS45 CS46 CS47 CS49 CS50 CS53 CS57 CS58 CS59 CS60 CS61 CS62 CS63 CS64 CS65 CS66 CS67 CS68 CS69 CS72 CS73 CS74 CS75 CS76 CS77 CS78 CS79 CS80 CS81 CS84 CS86 CS87 CS88 CS89 CS90 CS91 CS92 CS94 CS95 CS96 CS97 CS98 CS999 CS99 EU16 EU17 EU18 EU19 EU25 EU26 EU27 EU28 EU29 EU30 EU31 EU32 EU33 EU34 EU35 EU36 EU37 EU38 EU39 EU40 EU41 EU42 EU43 EU44 EU45 EU46 EU47 EU48 IND1 IND2S IND3S IND5 IND7 IND9 JPN2S JPN4S NA104 NA107 NA109 NA100 NA101 NA103 NA102 NA105 NA119 NA116 NA110 NA118 NA112 NA111 NA115 NA114 NA113 NA117 NA125 NA124 NA122 NA120 NA126 NA127 NA123 NA129 NA121 NA128 NA138 NA134 NA133 NA136 NA135 NA132 NA131 NA130 NA137 NA139 NA140 NA142 NA141 NA149 NA146 NA147 NA148 NA154 NA158 NA159 NA153 NA151 NA155 NA152 NA150 NA156 NA161 NA163 NA167 NA160 NA166 NA165 NA169 NA164 NA168 NA162 NA172 NA170 NA174 NA171 NA173 NA196 NA202 NA204 NA21 NA218 NA214 NA217 NA215 NA64 NA65 NA66 NA68 NA69 NA70 NA71 NA72 NA73 NA74 NA75 NA76 NA77 NA80 NA81 NA82 NA83 NA84 NA85 NA86 NA87 NA88 NA89 NA90 NA91 NA92 NA93 NA94 NA95 NA96 NA97 NA98 NA99 UM1 UM2 UM3 UM4 UM5 UM6 UM7 UM8 UM9 USA1 USA2S USA3S USA4S

Any unreleased services, features, statuses, or dates referenced in this or other public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make their purchase decisions based upon features that are currently available.