What should the developer use to enforce sharing permissions for the currently logged in user while using the custom search tool?

Universal Containers implemented a private sharing model for the Account object. A custom Account search tool was developed with Apex to help sales representatives find accounts that match multiple criteria they specify. Since its release, users of the tool report they can see Accounts they do not own.

What should the developer use to enforce sharing permissions for the currently logged in user while using the custom search tool?

A. Use the schema describe calls to determine if the logged-in user has access to the Account object,

B. Use the with sharing keyword on the class declaration.

C. Use the without sharing keyword on the class declaration.

D. Use the UserInfo Apex class to filter all SOQL queries to returned records owned by the logged-in user.

View Answer

Answer: B

Explanation:

Since users can see Accounts they do not own in a private sharing model, the custom Apex code is likely not enforcing sharing rules. To enforce sharing permissions, the developer should use the with sharing keyword on the class declaration.

with sharing Keyword: This enforces the sharing rules of the current user, ensuring that the Apex class respects the user’s record-level access permissions.

"Use the with sharing keyword when declaring a class to enforce the sharing rules that apply to the current user."

― Apex Developer Guide: Using the with sharing or without sharing Keywords

Private Sharing Model: In a private sharing model, users should only see records they own or have been shared with them.

"Private: Only the record owner and users above that role in the hierarchy can view, edit, and report on those records."

― Salesforce Help: Organization-Wide Sharing Defaults Why Not Other Options:

A. Use the schema describe calls to determine if the logged-in user has access to the Account object: Schema describe calls check for object-level access, not record-level sharing.

"Schema describe information provides metadata about object and field properties, but it doesn’t enforce record-level access."

― Apex Developer Guide: Schema Namespace

C. Use the without sharing keyword on the class declaration: This runs the class in system context, ignoring sharing rules, which is the opposite of what’s needed.

"Classes declared as without sharing or those that do not specify a keyword default to without sharing and don’t enforce the sharing rules of the current user."

― Apex Developer Guide: Using the with sharing or without sharing Keywords

D. Use the UserInfo Apex class to filter all SOQL queries to return records owned by the logged-in user: Manually filtering queries is error-prone and not a best practice when with sharing can enforce sharing automatically.

"Avoid hardcoding user or profile IDs and using the UserInfo class to enforce security. Instead, use declarative security features."

― Apex Developer Guide: Enforcing Security in Apex

Conclusion: By declaring the class with with sharing, the Apex code respects the user’s sharing rules, ensuring that users only see Accounts they have access to.