Insufficient access; cannot execute Metadata operation with PAC enabled session id

[seeflat]

I have been implementing a solution with you library (It is awesome thanks for all the work). I had my test working and creating visualforce pages successfully 2 days ago, now I am getting the exception message in the title.
I have tried googling this but could not find any information. Have you experienced this before?

[afawcett]

That is worrying. I've not seen this in my demos recently. I'll look into it more. Is there something special about the user or context your VF page is running in?

[seeflat]

The only things that comes to mind are:

1. This is going to be inside a managed package, and I am developing straight out of the packaging org.
2. This started happening when I changed the endpoint to 26.0, but is still happening despite the fact I have reverted the endpoint back to 25.0

Thank you so much for your prompt reply, it is thoroughly appreciated.
If there's any way I can assist please let me know. If you would like I can create a user in the org in question if you'd like to poke around

[afawcett]

You maybe onto something here, perhaps Session ID's for packaging orgs are somewhat different? It is still frustrating that it appears to have changed I agree. Is it just VF pages or do the samples in MetadataServiceExamples from annoymous Apex calls also fail?

[seeflat]

After many hours of debugging I have finally found a 'solution'.

This is definitely a very very strange issue. I copied all my test code into another development org and it ran without issue. I also have a test managed package org that I have used for proof of concept when submitting Salesforce bugs, I copied the same code into that org expecting it to fail... so of course it ran correctly. Which seems to rule out the possibility this is managed package related.

I was able to run the MetadataServiceExamples through the developer console, so I started trying everything I could in the controller and page. I finally started to get closer when I commented out all the code in the action function and called the MetadataServiceExamples.createPage() method from the controller, a visualforce page was created!

After more debugging I finally found a way to make this work, the MetadataService callouts need to be in static methods AND the static methods need to be in a separate class. I have found that UserInfo.getSessionId() returns different values depending on where it is called from. As demonstrated in the code snippet below

public with sharing class PACSessionIdController {

    public PageReference testActionFunction() {
        //The session Id outputted here is not the same as the one outputted
        //in the MetadataServiceHelper.createService debug statement
        //If used by the metadata service the PAC session Id is recieved
System.debug('actionFunctionSessionId='+UserInfo.getSessionId());
        List<MetadataService.Metadata> apexPages = new List<MetadataService.Metadata>();
        ...
        MetadataServiceHelper.create(apexPages);
    }

    public static MetadataService.MetadataPort controllerCreateService() { 
        //despite this being a static method the value of UserInfo.getSessionId() matches
        //the value in testActionFunction() and a PAC Session Id error is recieved
    }
}

.

public with sharing class MetadataServiceHelper {

    public static List<Id> create(List<MetadataService.Metadata> metadatas) {
        MetadataService.MetadataPort service = createService();
        List<Id> requestIds = new List<Id>();
        for(MetadataService.AsyncResult result : service.create(metadatas)) {
            requestIds.add(result.id);
        }
        return requestIds;
    }

    public static MetadataService.MetadataPort createService() {
        //Creating the service here allows for successful metadata api calls
        MetadataService.MetadataPort service = new MetadataService.MetadataPort();
        service.SessionHeader = new MetadataService.SessionHeader_element();
        service.SessionHeader.sessionId = UserInfo.getSessionId();
System.debug('service.sessionId='+service.SessionHeader.sessionId);
        return service;        
    }
}

The debug outputs and the different session Ids (truncated for security purposes)

14:29:26:051 USER_DEBUG [22]|DEBUG|actionFunctionSessionId= 00D...3fiTeSs29o2ZjeSnVrbovGh
14:29:26:109 USER_DEBUG [55]|DEBUG|service.sessionId=   00D...GGnS6ZiP1S1xiZzteOKAwC8

[seeflat]

Scratch everything above. I have just come back to my computer having been auto logged out of my session and my unchanged previously working code is now failing again. So I have another hunch that maybe this is caused by being booted out of a session.

Edit
So after a bit more testing:
I created a new Class named MetadataServiceHelper1 which is a copy of MetadataServiceHelper changed all the references in PACSessionIdController and voila the controller works again.
Next day I've tested again (no session expiry here, just closed the browser and came back the next day), same error message. Create MetadataServiceHelper2 and it starts working again.
An explicit log out and log back in again does not appear to be a problem.
Changed my session times to 15 minutes, and left it to expire. Log back in and the code is still working.

And at last I believe I have finally isolated the issue!

Login and visit my visualforce page, wait for the session to expire
Most important step: Click the action function on the expired page, Salesforce does it thing finds out the session is expired and redirects you to the login page.
Close this page
Open a new page and login to the org.
visit the visualforce page, attempt to perform the same operation.
The Insufficient access message is now occurring.

It looks like I am going to have to log a case with Salesforce to get this investigated, I don't know how I'm going to get past level 1 with this :)

Thanks again for your prompt replies Andrew, I will post the response from Salesforce (if I get one) into this issue

[afawcett]

I've asked my colleague Chris Peterson, who you will likely recognise from StackExchange to review this. As he actually has met something like this before. Hopefully Chris can shed some light! :)

[capeterson]

After a read over I'm convinced that my open case with salesforce about session Ids isn't quite the same issue, although the fact that we've hit two obscure sessionId related bugs in the platform at nearly the same time leads me to believe they recently did some work in that area on the platform itself.

Daniel, have you opened up a case with salesforce on this? If so, can you give me the case number? We have an excellent partner premier support rep who I can work with to get this up to tier 3/R&D.

[seeflat]

I have just created a case for this. The case number is 08485985. Thanks once again for your spectacular help.

you're right, I do recognise Chris from Stack Exchange :) But Andrew, I may have seen you around there once or twice as well :)

[vipultaylor]

Hi guys,

First of all thank you both for the library and this post. I faced a similar issue using Andrew's library and was stuck. But finally found the resolution.

The issue is when you are developing a managed package using the metadata api and have restricted API access, salesforce cannot handle the objects/structure which we provide a restricted access to and hence the error. I changed the API access from restricted to Unrestricted and it starts working again.

[seeflat]

Wow Vipul! Great Work! Thank you so much for posting, I have since had to shelve the project I was using this library for. But I am sure I would have run into this issue again, so it's nice to have a solution

[afawcett]

This is indeed great work, I'll call this out on the main README in fact! Thanks all!

[ghost]

Spectacular and profound detective work! The same problem reared its head with the Spring '15 release and your discussion here floated to the top of the Google search results. Thank you guys!
https://developer.salesforce.com/forums?id=906F0000000AyTgIAK

[psullivan4]

I'm still having this issue.
I did the following:

• Confirmed Package has Unrestricted API access
• Uncheck Lock to Session ID in security.

Are there other things I'm missing?

[afawcett]

Have you got any other Session Id restrictions enabled?

[afawcett]

@seeflat i'd like to close this one out, but if you want to pick this up again, please post back. 👍