Users are able to Edit Records on Salesforce1 Hybrid App even if they only have Read-Only Record Access when Offline Settings is Enabled
Last updated 2018-05-05 ·Reference W-3859570 ·Reported By 9 users
A user with no Read/Write access on the record can edit and save successfully on Salesforce1 hybrid App if 'Enable offline create, edit, and delete in Salesforce1' is checked and they have permission to transfer records in their profile.
So far, this is seen on Leads, Cases and Accounts
1 In S1, login as a standard user
2 Go to Leads, Cases or Accounts and pick a record which the test user has only Read-Only access but has Edit permission in the object in the profile and has 'Transfer Records' permission
*If editing a Lead record, confirm if the user has either 'Transfer Records' or 'Transfer Leads' permission or 'Transfer Cases' if editing a Case record
3 Make changes and Save
Actual Result: Record is saved successfully.
Expected Result: Should not save and show this error: "insufficient access rights on object id"
I Uncheck 'Enable offline create, edit, and delete in Salesforce1' in Setup | Salesforce1 Offline.
II Remove the 'Transfer Records', 'Transfer Leads' and 'Transfer Cases' permission in the user profile or permission set.
Is it Fixed?
Any unreleased services, features, statuses, or dates referenced in this or other public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make their purchase decisions based upon features that are currently available.