Deleting Salesforce Contacts You Don’t Own (Part 2)

Back in October, I posted a way to allow users to delete contacts that they don’t own. The biggest problem I had with the method was that there was no way to test if the user requesting the delete should really be able to delete it (I wanted to say if the user had at lease edit permissions, then she could delete it). With the Spring release of Salesforce, there was a new object quietly exposed to Apex that makes this so easy. That object is the UserRecordAccess object. You can now query this object with SOQL to find out a user’s access to a specific record.

Let’s take a look. In its simplest form, you can query to see what the maximum access a user has to a particular object:

SELECT RecordId, MaxAccessLevel FROM UserRecordAccess WHERE UserId = [single ID] AND RecordId = [single ID]

Very elegant, right? Before we had access to this object, we’d have to do some major hackery by wrapping some dml in a try…catch statement to see what was possible.

So, how does this help us? We can now check to see if the record Id passed to the class can be edited by the user and if so, delete it because the class uses the without sharing keyword, so it ignores these permissions. The new and improved code!


global without sharing class ContactUtil {
    webService static String deleteContact(Id id) {
        Contact c = new Contact(id = id);
        try {
            UserRecordAccess ura = [select RecordId, HasEditAccess from UserRecordAccess where UserId = :UserInfo.getUserId() and RecordId = :id];
            if (ura.HasEditAccess)
                delete c;
            else
                throw new deleteException('Error deleting');
            return '';
        } catch (Exception e) {
            return e.getMessage();
        }
    }
}

Everything from the original post works exactly the same. As a bonus, here’s a link to an unmanaged package with the code (with test class!) and button: https://login.salesforce.com/packaging/installPackage.apexp?p0=04tU0000000URcs.

Advertisements

7 thoughts on “Deleting Salesforce Contacts You Don’t Own (Part 2)

  1. Pingback: Deleting Salesforce Contacts You Don’t Own « Vertical Code

  2. Pingback: Force.com From Around the Web: May 5, 2012

  3. Great job, really good that you have included the test class and especially nice to include the unmanaged package. We are looking for a solution where someone can use the Merge contacts feature when they don’t own the record or are not higher in the hierarchy. Any solution to this yet?

  4. Pingback: Deleting Any Object You Don’t Own « Vertical Code

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s