Does SOQL join not respect OWD /sharing settings?
An interesting question that spiked my curiosity.
I did few tests to analyse this behaviour. I created a Parent Object and Child Object. OWD is private for both.
On child Object I created a lookup to parent. I also created a custom field on Parent and named it as "Parent Custom field".
For a custom profile which has C/R/E/D access to both objects, I only shared child record with that profile's user.
Lets analyse it in two aspects, standard aspect and custom code aspect.
1. Standard Aspect :
A) I logged in as the custom profile user and tried accessing Parent record. So here is what I see.
I can see Parent's lookup field is populated and clickable.
B) After clicking that Parent record, here is what I get. (Do not have acesss, thats a shame.) But I could see the name of the record.
2. Custom code Aspect:
I created a custom lightning component, for child record. I made controller as with sharing and used querry that would allow me to access child as well as parents fields I put that component on child's page layout, and checked output.
public with sharing class ChildParentController {
@Auraenabled
public static String getChildWithParent(String childId){
return JSOn.serializePretty([Select id,name,Aparent__r.Name,Aparent__r.Parent_Custom_field__c,Aparent__r.CreatedDate from Achild__C where Id=:childId]);
}
}
If you notice, I have queried for Parent's Name, Parent_Custom_field__c, and CreatedDate. But could only see the NAME in my returned JSON.
Which does make sense, even standard SF UI only allowed us to view the only Name. Making it as without sharing allows me to view all field in the parent, but that's what without sharing is for.
So to answer Does SOQL inner join not respect OWD /sharing settings?:
Yes they do. Syntactically you can write querries that fetches parent's field, but they wont have any data other than parents' Name and Id.
Edit:
For cross-object formula salesforce has added a note
NOTE: If you create a formula that references a field on another object and display that formula in your page layout, users can see the field on the object even if they don’t have access to that object record. For example, if you create a formula field on the Case object that references an account field, and display that formula field in the case page layout, users can see this field even if they don’t have access to the account record.
Which for me, it makes sense, Salesforce gives you an impression that cross-object formula field exists on the child object. If you have access to that child record, you have access to all its fields, irrespective of where its data fetched from.
Source: https://help.salesforce.com/articleView?id=customize_cross_object.htm&type=5