Apex Code Development You need to sign in to do that
Don't have an account?
Public VF page with a controller having “Without Sharing” is failing to update the record with Summer'20 Guest User Security Policy Enforced on org
I am working on a customer requirement POC where I would like to allow external users to update the record form any standard/custom object. In order to achieve this, I set up a public site/community and created a VF page with a custom controller where I am just retrieving a hardcoded record and allowing users to update and save it. The objective here is that external un-authenticated users should be able to access this page and update the record.
Given the new enhancements to the Guest User Security Policy in Summer'20 the guest user will be only allowed to Read and Create a record, however, there is a workaround of using "without sharing" on Apex Controller suggested by many community leaders but it doesn't seem to work for me.
I tried the same POC code on org with Spring 20 release and org with Summer'20 release which has all the necessary configuration suggested by the latest "Guest User Security Policy", in both orgs, it's failing with the same error.
Is this mean that the workarounds of using "without sharing" will also not work after the latest Guest User Security Policy enforcement? Is it happening only for the org where the Guest User Security Policy is enforced and public site/community setup afterward? Is this works fine if you have a public site/community created before the enforcement of the Guest User Security Policy?
Is there anything I am missing completely here in the POC code?
I search a lot to find out any documentation which clearly mentioned the behavior of "without sharing" with the Guest User Security Policy enforced but didn't found any.
If anyone has faced/facing similar issues and found a workaround, please share your experience and resolutions.
VF Page:
<apex:page controller="EditAccountPublicVFPagePOCController" showHeader="false" lightningStyleSheets="true">
<apex:form >
<apex:pageBlock >
<apex:pageBlockSection columns="2" title="Opportunity Record" id="myPanel">
<apex:outputText label="Opportunity Id" value="{!LoanApplication.Id}" rendered="{!NOT(bEditMode)}" />
<apex:outputText value="{!LoanApplication.Amount}" rendered="{!NOT(bEditMode)}" />
<apex:inputText value="{!LoanApplication.Amount}" rendered="{!bEditMode}" />
<apex:outputText value="{!LoanApplication.ExpectedRevenue}" rendered="{!NOT(bEditMode)}" />
<apex:inputText value="{!LoanApplication.ExpectedRevenue}" rendered="{!bEditMode}" />
<apex:outputText value="{!LoanApplication.Description}" rendered="{!NOT(bEditMode)}" />
<apex:inputText value="{!LoanApplication.Description}" rendered="{!bEditMode}" />
<apex:outputText value="{!LoanApplication.CurrentGenerators__c}" rendered="{!NOT(bEditMode)}" />
<apex:inputText value="{!LoanApplication.CurrentGenerators__c}" rendered="{!bEditMode}" />
<div align="center" >
<apex:commandButton action="{!doToggleEditMode}" value="Edit" reRender="myPanel" rendered="{!NOT(bEditMode)}" />
<apex:commandButton action="{!doSave}" value="Save" reRender="myPanel" rendered="{!bEditMode}" />
</div>
</apex:pageBlockSection>
</apex:pageBlock>
</apex:form>
Apex Controller:
public without Sharing class EditAccountPublicVFPagePOCController {
public Opportunity LoanApplication {get;set;}
public Boolean bEditMode {
get {if(bEditMode == null) {bEditmode = false;}
return bEditMode;
}
set;
}
public EditAccountPublicVFPagePOCController(){
//Using hard-coded record id for testing POC purpose.
//Try catch purposely not added to allow issue troubleshooting.
LoanApplication = [select Id,Amount,ExpectedRevenue,Description,CurrentGenerators__c from Opportunity WHERE id = '00628000002WzGlAAK'];
}
public PageReference doToggleEditMode() {
bEditMode = !bEditMode;
return null;
}
public PageReference doSave() {
doToggleEditMode();
update LoanApplication;
return null;
}
}