Spring 21 — AuraEnabled Apex and Sharing

Introduction

The Spring 21 release of Salesforce includes an update that may change the behaviour of your Apex classes that are used as controllers for Aura or Lighting Web Components. If your org was created after the Spring 18 Salesforce release, or you activated the (now retired) update

Use for Apex Controllers with Implicit Sharing

then by default your controllers run as , which means that they don’t take into account sharing settings for the user making the request and allow access to all records.

Once Spring 21 goes live, the

Use for Apex Controllers with Implicit Sharing (Update, Enforced)

will be applied and this behaviour will be reversed — the default will be and access will only be allowed for records owned by, or shared with, the user making the request.

Why the Change?

In a word, security. This update makes your components secure by default — if you forget to specify with sharing or without sharing, the principle of least privilege is applied and the most restrictive option is chosen.

The absence of a sharing keyword can also be considered a sharing keyword

I’m really not a fan of acts of omission driving behaviour, especially when that behaviour isn’t guaranteed. Prior to the Spring 21 release, if you don’t specify the type of sharing, there’s no way to tell by inspecting the code itself what will happen. Anyone debugging an issue around sharing would have to know when the org was provisioned, or find out whether the earlier update had been applied, always assuming they could get access to production to find out!

Historically, one reason to omit the sharing keyword was to allow the code to inherit the sharing from it’s calling Apex. This allowed a class to execute as though :

  • is defined, if called from a class defined as
  • is defined, if called from a class defined as

which gives a great degree of flexibility, with the trade-off that the exact same behaviour applies if you forgot the sharing declaration rather than intentionally excluded it. A comment to clarify the intent could help here, but that’s something else to remember.

Inherited Sharing

Winter 19 made a great step forward for forgetful programmers with the introduction of the keyword. This explicitly states that the the class will inherit the sharing from the calling code, so no need for anyone to try to infer what the missing sharing keywords might mean.

A slight wrinkle to this is what does mean when the calling code is not Apex — i.e. when it is the entry point for a transaction and thus executed by the Salesforce platform? A great example of this is an class used as a controller for an Aura or Lightning Web Component, aka where we came in to this post!

The good news is that the Apex docs explicitly call this out means when it is the entry point for a transaction — the principle of least privilege again, but clearly documented so that everyone knows what behaviour to expect.

Call to action

So do yourself and your team a favour, and when you are checking your classes to see if they will be affected by the Spring 21 update, if you find any without a sharing keyword, add one to make it clear what sharing is being applied. Your future self will thank you, and it also means that Salesforce can flip flop around what the absence of a sharing keyword should be and your code remains unaffected.

Originally published at http://bobbuzzard.blogspot.com.

CTO at BrightGen, author Visualforce Development Cookbook, multi Salesforce Developer MVP. Salesforce Certified Technical Architect. I am the one who codes.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store