Apex Sharing Behavior Basics
All @AuraEnabled custom controllers run in system mode. Consequently, the current user’s credentials aren’t used to execute controller logic, and the user’s permissions and field-level security aren’t automatically applied.
You can choose whether a controller respects a user’s org-wide defaults, role hierarchy, and sharing rules by using the with sharing keywords in the class or method definition. For more information, see “Using the with sharing or without sharing Keywords” in the Apex Developer Guide.
By default, Apex classes that don’t specify either with sharing or without sharing in their definition implicitly use without sharing. That is, they behave as though without sharing was set.
However, Apex classes that don’t explicitly set with sharing or without sharing inherit the value from the context in which they are run. So when a class without explicit sharing behavior is called by a class that sets one of the keywords, it operates with the sharing behavior of the calling class.
What This Critical Update Changes
Previously, Lightning component controllers that didn’t explicitly set a sharing behavior operated as though with sharing was set. This behavior is the opposite of Apex operating in other contexts, such as Visualforce controllers.
When this critical update is enabled, the sharing behavior of Apex code respects the documented behavior and is consistent with Apex code behavior in other contexts. So when you call @AuraEnabled controller methods from Lightning component code, if neither the class nor method explicitly specifies the sharing behavior, the controller method implicitly uses without sharing.
Impact of This Critical Update
The best way to prepare for this critical update is to ensure that all your @AuraEnabled code explicitly controls sharing behavior using the with sharing or without sharing keywords. If all your @AuraEnabled code explicitly sets sharing behavior, this critical update has no effect.
While it’s theoretically possible to use implicit sharing and verify correctness using tests, that strategy is flawed. It’s easy to make a mistake, and a mistake is a security vulnerability. If you use implicit sharing, you are responsible for making certain your record access security is correct.
Critical Update Timeline
- This critical update is disabled by default in existing orgs in Spring ’18.
- This critical update is enabled by default in new orgs beginning in Spring ’18.
- This critical update will be automatically enabled for all orgs on the auto-activation date, currently scheduled for after the Winter ’19 production release. The specific date for your org is available in the Critical Update Console in Setup.
Activate and Test This Critical Update
This update will be enabled everywhere on the auto-activation date. We recommend that you test your Lightning component controller code in a Developer Edition org before that date. If you must work in your production org, do so during off-peak hours.
- From Setup, enter Critical Updates in the Quick Find box, and then select Critical Updates.
- For Use without sharing for @AuraEnabled Apex Controllers with Implicit Sharing, click Activate.
- Test the behavior of components that use controllers that don’t include the with sharing or without sharing keywords.