Use without sharing for @AuraEnabled Apex Controllers with Implicit Sharing (Critical Update)

This critical update changes the behavior of @AuraEnabled Apex controllers that don’t specify with sharing or without sharing to default to without sharing. This change relaxes the security for controllers that don’t explicitly set sharing behavior using these keywords. It’s a best practice to always use with sharing in Apex controllers used with Lightning components.

Apex Sharing Behavior Basics

All @AuraEnabled custom controllers run in system mode. Consequently, the current user’s credentials aren’t used to execute controller logic, and the user’s permissions and field-level security aren’t automatically applied.

You can choose whether a controller respects a user’s org-wide defaults, role hierarchy, and sharing rules by using the with sharing keywords in the class or method definition. For more information, see “Using the with sharing or without sharing Keywords” in the Apex Developer Guide.

By default, Apex classes that don’t specify either with sharing or without sharing in their definition implicitly use without sharing. That is, they behave as though without sharing was set.

However, Apex classes that don’t explicitly set with sharing or without sharing inherit the value from the context in which they are run. So when a class without explicit sharing behavior is called by a class that sets one of the keywords, it operates with the sharing behavior of the calling class.

What This Critical Update Changes

Previously, Lightning component controllers that didn’t explicitly set a sharing behavior operated as though with sharing was set. This behavior is the opposite of Apex operating in other contexts, such as Visualforce controllers.

When this critical update is enabled, the sharing behavior of Apex code respects the documented behavior and is consistent with Apex code behavior in other contexts. So when you call @AuraEnabled controller methods from Lightning component code, if neither the class nor method explicitly specifies the sharing behavior, the controller method implicitly uses without sharing.

Impact of This Critical Update

Important

Important

This critical update relaxes the security of affected Lightning component controller code. If you have @AuraEnabled controller methods or classes that don’t explicitly specify the sharing behavior, those controller methods can allow access to records not owned by the current user when this update is enabled.

The best way to prepare for this critical update is to ensure that all your @AuraEnabled code explicitly controls sharing behavior using the with sharing or without sharing keywords. If all your @AuraEnabled code explicitly sets sharing behavior, this critical update has no effect.

While it’s theoretically possible to use implicit sharing and verify correctness using tests, that strategy is flawed. It’s easy to make a mistake, and a mistake is a security vulnerability. If you use implicit sharing, you are responsible for making certain your record access security is correct.

Critical Update Timeline

  • This critical update is disabled by default in existing orgs in Spring ’18.
  • This critical update is enabled by default in new orgs beginning in Spring ’18.
  • This critical update will be automatically enabled for all orgs on the auto-activation date, currently scheduled for after the Winter ’19 production release. The specific date for your org is available in the Critical Update Console in Setup.

Activate and Test This Critical Update

This update will be enabled everywhere on the auto-activation date. We recommend that you test your Lightning component controller code in a Developer Edition org before that date. If you must work in your production org, do so during off-peak hours.

To activate and test this critical update:
  1. From Setup, enter Critical Updates in the Quick Find box, and then select Critical Updates.
  2. For Use without sharing for @AuraEnabled Apex Controllers with Implicit Sharing, click Activate.
  3. Test the behavior of components that use controllers that don’t include the with sharing or without sharing keywords.
Warning

Warning

You can’t use Apex tests to test the impact of this critical update on the sharing behavior of @AuraEnabled Apex code. This limitation is because Apex code that is run from Apex tests already functions correctly and doesn’t change when the critical update is enabled or disabled. Test the results on the client side from your Lightning components, manually or using a test framework such as Lightning Testing Service, to verify that behavior is correct with the critical update enabled.