Use with sharing for @AuraEnabled Apex Controllers with Implicit Sharing (Update, Postponed)

This update is postponed to Spring ’21. It was scheduled for auto-activation (enforcement) in Spring ’20. This update changes the behavior of @AuraEnabled Apex controllers that don’t specify with sharing or without sharing to default to with sharing. This update applies only to orgs created after Spring ’18 or orgs that activated the retired Use without sharing for @AuraEnabled Apex Controllers with Implicit Sharing update that had the opposite effect and set the default to without sharing. Orgs created before Spring ’18 already default to with sharing. Those orgs don't see the update unless they enabled the now retired without sharing update.

Where: This change applies to Aura and Lightning web components in Lightning Experience, Salesforce Classic, Lightning communities, and all versions of the Salesforce app.

When: This update is enforced when a sandbox or production org is upgraded to Spring ’21. Enforcement starts for some sandboxes on November 29, 2020. To get the major release upgrade date for your instance, go to Trust Status, search for your instance, and click the maintenance tab.

Why: An @AuraEnabled Apex class that doesn’t explicitly set with sharing or without sharing uses a default or implicit value of with sharing. The purpose of the retired Use without sharing for @AuraEnabled Apex Controllers with Implicit Sharing update was to make Apex controllers for Aura components default to without sharing. This behavior made Apex controllers consistent in Aura components and Visualforce pages.

After further consideration, we decided to ensure that Lightning components are secure by default. So we created this new update that defaults to with sharing for @AuraEnabled Apex classes used by Aura components or Lightning web components.

Apex classes generally run in system mode. Consequently, the current user’s credentials aren’t used to execute Apex logic, and the user’s permissions and field-level security aren’t automatically applied.

You can choose whether an Apex class enforces sharing rules by using the with sharing or without sharing keywords. Enforcing sharing rules by using the with sharing keyword doesn’t enforce the user’s permissions and field-level security. You must manually enforce CRUD permissions and field-level security separately in your Apex classes.

How: The best way to prepare for this update is to ensure that all your @AuraEnabled Apex code explicitly controls sharing behavior using the with sharing or without sharing keywords. If all your @AuraEnabled code explicitly sets sharing behavior, this update has no effect.

To test this update, we recommend working in a sandbox. After November 29, 2020, you can continue to activate or deactivate the update from Release Updates in Setup until the update is automatically enforced when your org is upgraded to Spring ’21.

  1. From Setup, enter Release Updates in the Quick Find box.
  2. Select Release Updates.
  3. Find Use with sharing for @AuraEnabled Apex Controllers with Implicit Sharing, and click View Details or Get Started.
  4. Test the behavior of components that use Apex classes that don’t include the with sharing or without sharing keywords.