impairment of site guest user upload due to secruity updates with salesforce spring 20 release

edited February 6, 2020 in Questions

Hello everyone, 

we built a web form with Skuid that has a two-step wizard: In the first step, after clicking on next, a record of a custom object is created. In the second step, further details are entered by the user and files can be uploaded as attachments to the custom object record. After clicking on a send button, the custom object record is updated with the information from step 2.

The Skuid web form is embedded in a Visualforce page, which itself is the starting page of a Visualforce-based community, so the user entering the information is an anonymous site guest user. So far, this has all been working well, until Salesforce rolled out the security updates concerning guest users with the new Spring 20 release on some of our sandboxes. This forced us to make some adjustments regarding the updating logic in step 2, but we got everything working, EXCEPT the file upload:

When the site guest user now tries to upload a file as attachment to the custom object record, the upload fails and the on-upload failure actions of the file upload component are triggered. Debug logs give us no clue as to why the upload fails and we can only conclude that the failure must happen somewhere within the Skuid business logic that takes care of file uploads. We need help as to why the upload is now failing and what we can use as workaround or solution. This is urgent, as with the activation of the guest user security updates on production coming, our web form will not have a working file upload component anymore.


This is the configuration of our file upload component:

Save To: Data Source

Parent Model: Model for the custom object (model is saved in step 1)

File Storage Location: In Attachment to Record

 

We use Skuid v1, version 12.2.12. At the time of using the file upload component, our site guest user is the owner of the custom object record and that record already exists, so sharing settings should not affect the behavior.

In case you suggest to switch to Content Documents as file storage location: We tried this, but then the file upload component is not displayed at all, so uploading content documents instead of attachments does not seem to work for the site guest user at all (which is why we are using attachments in the first place).

We would like to report this problem to the community and if someone has an idea or even approaches to solve the behaviour, we would be very grateful. 

Unfortunatelythis is a hot topic for us, because this is the main feature for our customer. 

We are happy to receive a lot of feedback.  


Yours sincerely

Yvonne & Kevin

Comments

  • Khamla PhimmachackKhamla Phimmachack 🛠️ 
    edited January 23, 2020
    Are the guest users required to login to the site? If not, please see the following release notes for Spring 20 about Salesforce's new restrictions for guest user permissions in the new release. You may need to add sharing rules to resolve the problem:

    https://releasenotes.docs.salesforce.com/en-us/spring20/release-notes/rn_networks_guest_sharing_security_alert.htm

    https://releasenotes.docs.salesforce.com/en-us/spring20/release-notes/rn_networks_guest_user.htm

  • edited January 31, 2020

    After consulting with Salesforce, we tested the file upload in a public community with the site guest user security updates activated. Our test included only a Visualforce Page and an Apex Controller without sharing which inserted an attachment to a record that belonged to the site guest user. The result was that the upload was possible. Salesforce also confirmed that file uploads or updates to records by a site guest user would only be possible if Apex without sharing was used, once the security updates are force-activated on 1st March. Ownership of records should not be given back to a site guest user under any circumstances.

     

    This is now a serious issue that Skuid has to fix before 1st March. Skuid has to make such DML operations possible for a site guest user by allowing the respective Apex code in the Skuid package to be without sharing or by allowing the use of an own Apex controller in the Skuid DML components such as the file upload component or the update and save model actions. Will there be a fix? If not, we will have to abort Skuid as UI and build our own web form with Lightning components.
  • Anna WiersemaAnna Wiersema 🛠️ 
    edited February 6, 2020
    Kevin, thanks for being one of the one to bring this issue to our attention. You can see the latest update from Skuid in the public announcement Salesforce’s Spring ‘20 Release: Changes regarding guest users starting March 1, 2020.  

    Highlights
    • The Skuid Product Engineering team is working on a product change to restore the ability for Guest Users to use Skuid’s File Upload component to upload attachments to records. This change will be available in 11.2.30 and 12.2.14. 
    • If your guest users need to access records they have created, this should be handled sharing rules, Apex, or Flows.  
    • For more details, please see this article on how Salesforce recommends that customers write Apex to work outside of the security model you have configured for your Org.
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!