The Haplo users and groups system applies permissions based on labels. A user will probably not be allowed to read or write all the objects in the store.

The plugin API enforces this. If you attempt to read or write an object without permission, an exception will be thrown, and queries will only search objects the user is permitted to read. This is not to protect the store against plugins reading too much — a plugin has access to everything by design — but to make it easier to write plugins without having to worry accidentally leaking something the user shouldn’t see.

Checking permissions

Use functions on SecurityPrincipal objects, such as O.currentUser. Useful functions include isMemberOf() and canCreateObjectOfType().

Disabling permission checks

Sometimes it’s useful to perform a privileged operation within a request context. In this case, you can use O.withoutPermissionEnforcement() or O.impersonating() to temporarily disable permission enforcement.

You should use O.withoutPermissionEnforcement() when you need to perform an operation which is not normally permitted by the user’s permissions, but still needs to be attributed to them in the audit trail and object history.

O.impersonating() is used to switch permissions to that of any user, or to be able to perform privileged operations as a special ‘SYSTEM’ user when actions should not be attributed to any user in particular.