-
Notifications
You must be signed in to change notification settings - Fork 422
CanTheUser
A reusable, intuitive library for determining wether or not the
current use can create, read, edit, or delete objects as well as
determining if the user has access or update permissions on specific fields.
This class name was chosen to facilitate easy-to-understand and read code.
Whenever you need to check FLS or CRUD access your code reads like this
if(CanTheUser.read(new account())){}
making the calling and use of this
code easy and intuitive.
Group Security Recipes
TESTVISIBLE
TESTVISIBLE
Param | Description |
---|---|
obj |
the object type to check |
permission |
create, read, update or delete |
Type | Description |
---|---|
Boolean |
Boolean |
System.debug(CanTheUser.crud(new Account(), CanTheUser.CrudType.READ));
TESTVISIBLE
TESTVISIBLE
convenience api for determining if the running user can create the specified object
Param | Description |
---|---|
obj |
Object type to check create permissions on |
Type | Description |
---|---|
Boolean |
Boolean |
System.debug(CanTheUser.create(new Account()));
convenience api for determining if the running user can create the specified object
Param | Description |
---|---|
objs |
list of objects. Only the first will be checked. (logically, a list is of uniform type and, and if the user can create one) |
Type | Description |
---|---|
Boolean |
Boolean |
convenience api for determining if the running user can create the specified object
Param | Description |
---|---|
String |
Object type to check create permissions on |
Type | Description |
---|---|
Boolean |
Boolean |
System.debug(CanTheUser.create('Account'));
convenience api for determining if the running user can read / access the specified object
Param | Description |
---|---|
obj |
object type to check read permissions on |
Type | Description |
---|---|
Boolean |
Boolean |
System.debug(CanTheUser.read(new Account()));
convenience api for determining if the running user can read / access the specified objects
Param | Description |
---|---|
obj |
object type to check read permissions on |
Type | Description |
---|---|
Boolean |
Boolean |
convenience api for determining if the running user can read the specified object
Param | Description |
---|---|
String |
Object type to check read permissions on |
Type | Description |
---|---|
Boolean |
Boolean |
System.debug(CanTheUser.read('Account'));
convenience api for determining if the running user can edit / update the specified object
Param | Description |
---|---|
obj |
object type to check edit permissions on |
Type | Description |
---|---|
Boolean |
Boolean |
System.debug(CanTheUser.edit(new Account()));
convenience api for determining if the running user can edit / update the specified objects
Param | Description |
---|---|
obj |
object type to check edit permissions on |
Type | Description |
---|---|
Boolean |
Boolean |
convenience api for determining if the running user can edit the specified object
Param | Description |
---|---|
String |
Object type to check edit permissions on |
Type | Description |
---|---|
Boolean |
Boolean |
System.debug(CanTheUser.edit('Account'));
convenience api for determining if the running user can upsert (insert and update) the specified objects
Param | Description |
---|---|
obj |
object type to check edit permissions on |
Type | Description |
---|---|
Boolean |
Boolean |
System.debug(CanTheUser.ups(new Account()));
convenience api for determining if the running user can edit / update the specified objects
Param | Description |
---|---|
obj |
object type to check upsert permissions on |
Type | Description |
---|---|
Boolean |
Boolean |
convenience api for determining if the running user can upsert the specified object
Param | Description |
---|---|
String |
Object type to check upsert permissions on |
Type | Description |
---|---|
Boolean |
Boolean |
System.debug(CanTheUser.ups('Account'));
convenience api for determining if the running user can delete/destroy the specified object
Param | Description |
---|---|
obj |
object type to check destroy permissions on |
Type | Description |
---|---|
Boolean |
Boolean |
System.debug(CanTheUser.destroy(new Account()));
convenience api for determining if the running user can delete the specified object
Param | Description |
---|---|
String |
Object type to check delete permissions on |
Type | Description |
---|---|
Boolean |
Boolean |
convenience api for determining if the running user can delete the specified object
Param | Description |
---|---|
String |
Object type to check create permissions on |
Type | Description |
---|---|
Boolean |
Boolean |
System.debug(CanTheUser.destroy('Account'));
public method to determine if a given field on a given object is Accessible (readable)
Param | Description |
---|---|
obj |
the object in question, in string form |
field |
the field in question in SObjectField form |
Type | Description |
---|---|
Boolean |
Boolean |
System.debug(CanTheUser.flsAccessible('Account', 'Name'));
bulk form of flsAccessible
Param | Description |
---|---|
obj |
Obj name on which to check |
fields |
Set of Fields to check for accessibility. |
Type | Description |
---|---|
Map<String,Boolean> |
Map<String, Boolean> |
String[] fields = new String[]{'Name', 'ShippingStreet'};
System.debug(CanTheUser.bulkFLSAccessible('Account', fields));
public method to determine if a given field on a given object is Updatable.
Param | Description |
---|---|
obj |
the string version of an object name |
field |
the field to check |
Type | Description |
---|---|
Boolean |
Boolean |
System.debug(CanTheUser.flsUpdatable('Account', 'Name'));
bulk form of flsUpdatable call
Param | Description |
---|---|
obj |
Name of the object |
fields |
Set of Field names to check |
Type | Description |
---|---|
Map<String,Boolean> |
Map<String, Boolean> |
String[] fields = new String[]{'Name', 'ShippingStreet'};
System.debug(CanTheUser.bulkFLSUpdatable('Account', fields));
SUPPRESSWARNINGS
TESTVISIBLE
Utilizes the Metadata catalog to determine FLS Note: this method contains a false-positive PMD violation. Normally, we'd want to check for FLS/CRUD here, but for metadata catalog objects that admins cannot remove permissions to we're ok. Additionally, even the minimum access profile user has read access to the FieldPermissions object.
Param | Description |
---|---|
objType |
String version of the object type to check |
action |
Enum of the FLS action to check permissions for |
Type | Description |
---|---|
Set<String> |
set<String> |
Abstracted method for retrieving or calculating (memoization) of the FLS for a given field on a given object.
Param | Description |
---|---|
obj |
String version of object name to check |
field |
String version of the field to check |
checkType |
Enum of Accessible or Updatable. |
Type | Description |
---|---|
Boolean |
Boolean |
Internal custom exception class
Inheritance
CanTheUserException
this cachebuilder interface allows the CanTheUser class to cache per-object results for each object requested. This prevents the need to repeatedly calculate permission usage by calling Schema.Describe* calls
Implemented types
Required method for the CacheBuilder interface. Used here to either calculate an objects per-user FLS, OR to return it from Cache. The return datastructure for this is Map<String, Map<FLSType,Boolean>> and represents: FieldName -> FLStype -> True/False
Param | Description |
---|---|
objType |
String object name used as the cache key |
Type | Description |
---|---|
Object |
Object |
Calculates the FLS for a given object type
Param | Description |
---|---|
objType |
String name of the object type |
Type | Description |
---|---|
Map<String,Map<FLSType,Boolean>> |
Map<String, Map<FLSType, Boolean>> |