I’m trying to test user profile which don’t have create access to create certain custom objects, even though the profile is setup such that they have read only or NO access at all, but the unit test code is creating the record without any issues. I’m doing the following ex: System.runas(profile).
I found in other thread, CRUD/FLS is used for VF or API Request only
Any thoughts or suggestions?
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
From the documentation Using the runAs Method:
The
runAsmethod doesn’t enforce user permissions or field-level permissions, only record sharing.
Try using Schema.DescribeSObjectResult to check the user level access to SObjects and Schema.DescribeFieldResult for the field level access.
Method 2
Additionally:
- The
sharingkeyword on a class only affects sharing. It does not affect CRUD or FLS. - With the sole exception of ExecuteAnonymous, Apex code does not enforce CRUD or FLS – you must manually interrogate object and field accessibility.
To assert in code that a user profile does not have create access, you need something like:
static testmethod void testCrudSecurity() {
//build user with appropriate profile
System.runAs(user) {
System.assert(!SObjectType.Account.isCreateable());
}
}
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0