From 01d3a16a4076fb939c46e87aba3797043ceff52b Mon Sep 17 00:00:00 2001 From: David Esposito Date: Thu, 22 Feb 2024 15:53:04 -0500 Subject: [PATCH] Fixes #440 - changes the few tests that are exercising CRUD/FLS enforcement to prefer the 'Minimum Access - Salesforce' profile since that is a more reliable Profile in most modern orgs --- .../classes/fflib_SObjectSelectorTest.cls | 12 ++++----- .../test/classes/fflib_SecurityUtilsTest.cls | 26 +++++++++---------- 2 files changed, 18 insertions(+), 20 deletions(-) diff --git a/sfdx-source/apex-common/test/classes/fflib_SObjectSelectorTest.cls b/sfdx-source/apex-common/test/classes/fflib_SObjectSelectorTest.cls index 190393b31d2..c89b19e7fb0 100644 --- a/sfdx-source/apex-common/test/classes/fflib_SObjectSelectorTest.cls +++ b/sfdx-source/apex-common/test/classes/fflib_SObjectSelectorTest.cls @@ -378,7 +378,7 @@ private with sharing class fflib_SObjectSelectorTest static void toSOQL_When_UserModeAndUserCannnotReadObject_Expect_QueryException(){ AccessLevelOpportunitySelector sel = new AccessLevelOpportunitySelector(); - User u = getLimitedReadOnlyUser(); + User u = getMinimumAccessUser(); System.runAs(u){ try{ System.debug(sel.newQueryFactory().toSOQL()); @@ -399,7 +399,7 @@ private with sharing class fflib_SObjectSelectorTest static void toSOQL_When_SystemModeAndUserCannnotReadObject_Expect_Success(){ AccessLevelOpportunitySelector sel = new AccessLevelOpportunitySelector(fflib_SObjectSelector.DataAccess.SYSTEM_MODE); - User u = getLimitedReadOnlyUser(); + User u = getMinimumAccessUser(); System.runAs(u){ sel.selectSObjectsById(new Set{fflib_IDGenerator.generate(Opportunity.SObjectType)}); } @@ -410,7 +410,7 @@ private with sharing class fflib_SObjectSelectorTest AccessLevelAccountSelector sel = new AccessLevelAccountSelector(); //Account has Read access by the limited read only user but no FLS access - User u = getLimitedReadOnlyUser(); + User u = getMinimumAccessUser(); System.runAs(u){ try{ System.debug(sel.newQueryFactory().toSOQL()); @@ -433,7 +433,7 @@ private with sharing class fflib_SObjectSelectorTest AccessLevelAccountSelector sel = new AccessLevelAccountSelector(fflib_SObjectSelector.DataAccess.SYSTEM_MODE); //Account has Read access by the limited read only user but no FLS access - User u = getLimitedReadOnlyUser(); + User u = getMinimumAccessUser(); System.runAs(u){ sel.selectSObjectsById(new Set{fflib_IDGenerator.generate(Account.SObjectType)}); } @@ -651,8 +651,8 @@ private with sharing class fflib_SObjectSelectorTest return testUser; } - private static User getLimitedReadOnlyUser(){ - return fflib_SecurityUtilsTest.setupTestUser('Read Only'); + private static User getMinimumAccessUser(){ + return fflib_SecurityUtilsTest.setupTestUser(true); } @IsTest diff --git a/sfdx-source/apex-common/test/classes/fflib_SecurityUtilsTest.cls b/sfdx-source/apex-common/test/classes/fflib_SecurityUtilsTest.cls index 3e7e4c93a15..5b30aab02ec 100644 --- a/sfdx-source/apex-common/test/classes/fflib_SecurityUtilsTest.cls +++ b/sfdx-source/apex-common/test/classes/fflib_SecurityUtilsTest.cls @@ -79,22 +79,20 @@ private class fflib_SecurityUtilsTest { } @TestVisible - static User setupTestUser(String profileName){ + static User setupTestUser(Boolean limitedAccess){ Profile p; - Boolean applyReadOnlyPermissionSet = false; - if (profileName == 'Read Only') { - applyReadOnlyPermissionSet = true; + + if (limitedAccess) { try { - p = getProfile(profileName); + p = getProfile('Minimum Access - Salesforce'); } catch (QueryException ex) { if (ex.getMessage().contains('List has no rows for assignment to SObject')) { - // #315 If the "Read Only" Profile is absent, then assume it's a Spring '21 org and see if there's a - // "Minimum Access - Salesforce" Profile we can use instead. - p = getProfile('Minimum Access - Salesforce'); + //#440 - not ideal, but we'll fall back to the rather liberally permissioned 'Read Only' profile that exists in very old orgs + p = getProfile('Read Only'); } } } else { - p = getProfile(profileName); + p = getProfile('System Administrator'); } //username global uniqueness is still enforced in tests @@ -118,7 +116,7 @@ private class fflib_SecurityUtilsTest { ); insert usr; - if (applyReadOnlyPermissionSet) { + if (limitedAccess) { // #315 We need to assign the Perm Set to grant Account "Read" access PermissionSet accountReadPS = [SELECT Id FROM PermissionSet WHERE Name = 'ReadOnlyPermissionSet']; PermissionSetAssignment psa = new PermissionSetAssignment(AssigneeId = usr.Id, PermissionSetId = accountReadPS.Id); @@ -129,7 +127,7 @@ private class fflib_SecurityUtilsTest { @isTest static void readonly_field_access() { - User testUser = setupTestUser('Read Only'); + User testUser = setupTestUser(true); System.runAs(testUser){ { fflib_SecurityUtils.SecurityException ex; @@ -172,7 +170,7 @@ private class fflib_SecurityUtilsTest { @isTest static void readonly_object_access() { - User testUser = setupTestUser('Read Only'); + User testUser = setupTestUser(true); System.runAs(testUser){ { fflib_SecurityUtils.SecurityException ex; @@ -226,7 +224,7 @@ private class fflib_SecurityUtilsTest { @isTest static void readonly_objectAndField_access() { - User testUser = setupTestUser('Read Only'); + User testUser = setupTestUser(true); System.runAs(testUser){ { fflib_SecurityUtils.SecurityException ex; @@ -311,7 +309,7 @@ private class fflib_SecurityUtilsTest { @isTest static void sysadmin_objectAndField_access() { - User testUser = setupTestUser('System Administrator'); + User testUser = setupTestUser(false); System.runAs(testUser){ fflib_SecurityUtils.checkInsert( Account.SObjectType,