Salesforce
keywords just make wonders and ‘With Sharing
‘/ ‘Without Sharing’ keyword is one of them and sometimes we are oblivious
about how they work internally.
Let’s
try to understand each.
‘With Sharing’:
This
keyword can be used on Apex classes, like public With Sharing classcontactMasterTriggerHandler{ }.
What
does it do??
Though
apex always executes in System Context, but ‘With Sharing’ keyword only enforces
‘Record level security’ , ‘User Permissions’ and ‘Profile
permissions’ of the Context User doing some operation, but doesn't enforce Field level security.
For an instance if a with sharing class is updating a list of an object and context user doesn't have Edit access to that object, then it will throw error of 'Insufficient access/privileges' ,on the other hand it ignores the FLS, in case user doesn't even have edit access to field, won't throw any error and updates successfully.
For an instance if a with sharing class is updating a list of an object and context user doesn't have Edit access to that object, then it will throw error of 'Insufficient access/privileges' ,on the other hand it ignores the FLS, in case user doesn't even have edit access to field, won't throw any error and updates successfully.
To understand this point, let's take a look at the example below:
Let’s take an instance
There is a trigger on Contact using a trigger
handler with a keyword ‘With Sharing’, and in
After Update of Contact it
updates Account’s Rating field based upon some conditions.
Here's OWD of Account is private and since Contact OWD is governed 'by parent' so it is also Private.
User has no access to all other Account record excepts
the ones he/she created (due to OWD as Private and no other sharing is done) and doesn’t have FLS to Rating
field of Account (This is to be updated in given code below)
How should it behave for such scenario having 'With Sharing' on Trigger handler Apex:
Let's take a look at the code:
·
OWD as Private
and No FLS access:
It will not pickup account
record it doesn't access to, so only records user has access are picked and
updated, but doesn’t throw any error.
·
OWD as Public
read/Write and No FLS access:
It will pickup all the
account records that SOQL is returning but despite of having no FLS access, doesn’t
throw any error saying insufficient access to the field.
2nd Instance:
Let's say there is a Visual force page having apex controller as 'With Sharing' behaves in the same way as explained in above example.
But visibility of fields on a VF page totally depends on user who's opening the page, be it with or without sharing keyword with Apex controller.
Without Sharing’:
When no keyword is given with Apex class name, it is by default 'Without Sharing' , however you can also use the without sharing keywords to ensure that Apex scripts do not enforce the sharing rules of the running user.
Without Sharing apex executes in System context and hence apex code has access to all objects and fields— object permissions, field-level security, sharing rules aren’t applied for the current user. This is to ensure that code won’t fail to run because of hidden fields or objects for user.
Key Points about 'With Sharing' / 'Without Sharing' :
- If the class is called by another class that has sharing enforced, then sharing is enforced for the called class.
- ExecuteAnonymous always executes using the full permissions of the current user (including sharing settings).
- The sharing setting of the class where the method is defined is applied, not of the class where the method is called. For example, if a method is defined in a class declared with with sharing is called by a class declared with without sharing, the method will execute with sharing rules enforced.
