You need to sign in to do that
Don't have an account?
Issimo 6
Spring 21 Sites Permissions Blocking Updates
We have a Salesforce Site with a single Visualforce page which displays a record from a custom object. The associated custom controller has an action which updates the record. The controller class is defined as Public Class MyClass.
So, since the Spring 21 release, the Guest User profile no longer has Edit permissions on the Custom object. No problem I thought, the controller is just defaulting to 'with sharing' and I need to explicitly make it 'without sharing' so that it runs in System Mode and has full access to all fields and permissions on the custom object. So my class definition is now Public without sharing Class MyClass.
But this didn't make any difference and I'm still getting the error -
System.VisualforceException: Update access denied for MyCustomObject__c, controller action methods may not execute
I'm thinking that this is not going to be possible to fix, without using a licence or community setup. I would be grateful for any advice.
So, since the Spring 21 release, the Guest User profile no longer has Edit permissions on the Custom object. No problem I thought, the controller is just defaulting to 'with sharing' and I need to explicitly make it 'without sharing' so that it runs in System Mode and has full access to all fields and permissions on the custom object. So my class definition is now Public without sharing Class MyClass.
But this didn't make any difference and I'm still getting the error -
System.VisualforceException: Update access denied for MyCustomObject__c, controller action methods may not execute
I'm thinking that this is not going to be possible to fix, without using a licence or community setup. I would be grateful for any advice.
https://help.salesforce.com/articleView?id=sf.networks_guest_policies_timelines.htm&type=5
- but it does say 'Guest users can only update or delete records in System Mode'
Does adding 'without sharing' to the page's custom controller not do this?
I set the controller class to without sharing. This didn't make a difference at first but may have affected what happened later.
I removed VF bindings to (e.g.) {!myobject.StatusCode} on the page and replaced them with individual fields defined in the controller like Public String StatusCodeString {get; set;}. Then bound to that {!StatusCodeString}. On postback, I used these new public properties to update the object.
If your getting a permission error it might be that you have to wait until the page loads and then put your update under without sharing inside a VF action. If your not sure what I am saying please look at this page:
https://www.learnexperiencecloud.com/s/article/Guest-User-Record-Access-Development-Best-Practices#Pattern1
I am still runing tests on this.