Restrict Access to @AuraEnabled Apex Methods for Guest and Portal Users Based on User Profile (Critical Update, Postponed)

This critical update is postponed to Winter ’21. It was scheduled for auto-activation in Spring ’20. This critical update gives you more control over which guest, portal, or community users can access Apex classes containing @AuraEnabled methods. Add guest user profile access to any @AuraEnabled Apex class used by a community or portal. When this critical update is activated, a guest, portal, or community user can access an @AuraEnabled Apex method only when the user’s profile or an assigned permission set allows access to the Apex class.

Where: This change applies to Aura components, Lightning web components, and flows in Lightning communities, portals, and Salesforce Sites.

When: This critical update is enforced when a sandbox or production org is upgraded to Winter ’21. Enforcement starts on August 9, 2020 and takes effect when your instance is upgraded to Winter ’21. To find the exact activation date for your instance, refer to https://status.salesforce.com.

Why: When this critical update is activated, a guest, portal, or community user can access an @AuraEnabled Apex method only when the user’s profile or a permission set allows access to the Apex class. This critical update enforces user profile and permission set restrictions for Apex classes used by Aura and Lightning web components.

Note

Note

To enable access to a public Apex controller that’s part of a managed package, a subscriber org must use a permission set. You can’t enable access to a public Apex controller from a managed package using a user profile.

How: To test this critical update, we recommend working in a sandbox to complete testing before the initial enforcement date of August 9, 2020, which is the Auto-Activation Date in the UI. After August 9, you can no longer activate or deactivate the critical update and you can test behavior only in a sandbox that’s already been upgraded to Winter ’21. If you don’t activate the critical update before May 7, it will be automatically activated when your instance is upgraded to Winter ’21.

  1. From Setup, enter Critical Updates in the Quick Find box.
  2. Select Critical Updates.
  3. Review the details for the “Restrict Access to @AuraEnabled Apex Methods for Guest and Portal Users Based on User Profile” critical update.
  4. Click Activate.
  5. Test that custom Aura components, Lightning web components, and flows that you’ve developed are working correctly for guest, portal, and community users.