function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
Issimo 6Issimo 6 

Spring 21 Sites Permissions Blocking Updates

We have a Salesforce Site with a single Visualforce page which displays a record from a custom object. The associated custom controller has an action which updates the record. The controller class is defined as Public Class MyClass.

So, since the Spring 21 release, the Guest User profile no longer has Edit permissions on the Custom object. No problem I thought, the controller is just defaulting to 'with sharing' and I need to explicitly make it 'without sharing' so that it runs in System Mode and has full access to all fields and permissions on the custom object. So my class definition is now Public without sharing Class MyClass.

But this didn't make any difference and I'm still getting the error -
System.VisualforceException: Update access denied for MyCustomObject__c, controller action methods may not execute

I'm thinking that this is not going to be possible to fix, without using a licence or community setup. I would be grateful for any advice.
Shalu Gangwar 15Shalu Gangwar 15
Can you please let me know the VF page code so that I can see what is wrong in it?
Michael Johnson 136Michael Johnson 136
Yuck yuck yuck, looks like Salesforce has removed edit/delete permissions for public site guest license in Spring 21 release https://advancedcommunities.com/important-critical-updates-public-security-policies/#:~:text=Restrictions%3A%20guest%20users%20can%20no,longer%20available%20for%20guest%20users.&text=Guest%20users%20are%20no%20longer,assigned%20to%20a%20default%20user . Likely have to come up with a workaround or possible create an ugly work around like cloning the existing record.
Issimo 6Issimo 6
This article explains the changes -
https://help.salesforce.com/articleView?id=sf.networks_guest_policies_timelines.htm&type=5
- but it does say 'Guest users can only update or delete records in System Mode'

Does adding 'without sharing' to the page's custom controller not do this?
Shalu Gangwar 15Shalu Gangwar 15
It will but also depends on your scenario therefore can you please provide your VF code so that I can help you.
Ian Bate 13Ian Bate 13
I was able to workaround this.

I set the controller class to without sharing. This didn't make a difference at first but may have affected what happened later.

I removed VF bindings to (e.g.) {!myobject.StatusCode} on the page and replaced them with individual fields defined in the controller like Public String StatusCodeString {get; set;}. Then bound to that {!StatusCodeString}. On postback, I used these new public properties to update the object.




 
Michael Andrews 5Michael Andrews 5
I am have been doing some testing on this and found that the without sharing works but not always. If you try to use it durring the page load for example it will not work. (but I guess that is for all update calls)
If your getting a permission error it might be that you have to wait until the page loads and then put your update under without sharing inside a VF action. If your not sure what I am saying please look at this page:
https://www.learnexperiencecloud.com/s/article/Guest-User-Record-Access-Development-Best-Practices#Pattern1

I am still runing tests on this.