Home/ Questions/Q 7898977
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-03T08:34:55+00:00

This is more of a best practices question. Our org currently has public read

  • 0

This is more of a best practices question. Our org currently has “public read” permissions on our org wide defaults for custom objects. We cannot make this private because of the way its working now for internal employees or rather we are trying to avoid this.

I am also creating a customer portal with custom visual force pages…where I display data using SOQL queries.

Is it a good idea to add a clause on the SOQL query to return only those records where the account id matches the logged in user’s acount id?

I did it and it works fine…But are there any pitfalls to this method that I am overlooking?

Thanks,
Calvin

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Per the Visualforce Documentation

    Because standard controllers execute in user mode, in which the
    permissions, field-level security, and sharing rules of the current
    user are enforced, extending a standard controller allows you to build
    a Visualforce page that respects user permissions. Although the
    extension class executes in system mode, the standard controller
    executes in user mode. As with custom controllers, you can specify
    whether a user can execute methods in a controller extension based on
    the user’s profile.

    I believe the idea being, as long as your classes are public with sharing then permissions should be enforced and records should not be returned that the user cannot see (same with fields on a record).

    per the Apex Documentation

    Apex generally runs in system context; that is, the current user’s
    permissions, field-level security, and sharing rules aren’t taken into
    account during code execution.

    Use the with sharing keywords when declaring a class to enforce the sharing rules that apply to the current user. For example:

    public with sharing class sharingClass {

// Code here 


}

    Use the without sharing keywords when declaring a class to ensure that the sharing rules for the current user are not enforced. For example:

    public without sharing class noSharing {

// Code here 


}

    Otherwise you would have to spend hours ensuring that the right permissions applied at exactly the right time for the right user. It would almost completely defeat the purpose of a visualforce page!

    • 0