Use with sharing for @AuraEnabled Apex Controllers with Implicit Sharing (Critical Update, Postponed)

This critical update is postponed to Spring ’21. It was scheduled for auto-activation in Spring ’20. This critical update changes the behavior of @AuraEnabled Apex controllers that don’t specify with sharing or without sharing to default to with sharing. This critical update applies only to orgs created after Spring ’18 or orgs that activated the retired “Use without sharing for @AuraEnabled Apex Controllers with Implicit Sharing” critical update that had the opposite effect and set the default to without sharing. Orgs created before Spring ’18 already default to with sharing. Those orgs don't see the critical update unless they enabled the now retired without sharing critical update.

Where: This change applies to Aura and Lightning web components in Lightning Experience, Salesforce Classic, Lightning communities, and all versions of the Salesforce app.

When: This critical update is enforced when a sandbox or production org is upgraded to Spring ’21. Enforcement starts on November 29, 2020 and takes effect when your instance is upgraded to Spring ’21. To find the exact activation date for your instance, refer to https://status.salesforce.com.

Why: An @AuraEnabled Apex class that doesn’t explicitly set with sharing or without sharing uses a default or implicit value of with sharing. The purpose of the retired “Use without sharing for @AuraEnabled Apex Controllers with Implicit Sharing” critical update was to make Apex controllers for Aura components default to without sharing. This behavior made Apex controllers consistent in Aura components and Visualforce pages.

After further consideration, we decided to ensure that Lightning components are secure by default. So we created this new critical update that defaults to with sharing for @AuraEnabled Apex classes used by Aura components or Lightning web components.

Apex classes generally run in system mode. Consequently, the current user’s credentials aren’t used to execute Apex logic, and the user’s permissions and field-level security aren’t automatically applied.

You can choose whether an Apex class enforces sharing rules by using the with sharing or without sharing keywords. Enforcing sharing rules by using the with sharing keyword doesn’t enforce the user’s permissions and field-level security. You must manually enforce CRUD permissions and field-level security separately in your Apex classes.

How: The best way to prepare for this critical update is to ensure that all your @AuraEnabled Apex code explicitly controls sharing behavior using the with sharing or without sharing keywords. If all your @AuraEnabled code explicitly sets sharing behavior, this critical update has no effect.

To test this critical update, we recommend working in a sandbox to complete testing before the initial enforcement date of November 29, 2020, which is the Auto-Activation Date in the UI. After November 29, you can no longer activate or deactivate the critical update and you can test behavior only in a sandbox that's already been upgraded to Spring ’21. If you don't activate the critical update before November 29, it will be automatically activated when your instance is upgraded to Spring ’21.

  1. From Setup, enter Critical Updates in the Quick Find box.
  2. Select Critical Updates.
  3. Review the details for the “Use with sharing for @AuraEnabled Apex Controllers with Implicit Sharing” critical update.
  4. Click Activate.
  5. Test the behavior of components that use Apex classes that don’t include the with sharing or without sharing keywords.