Salesforce’s Spring ‘20 Release: Changes regarding guest users starting March 1, 2020

I figured out the issue. Salesforce apparently is checking if the Community Home page is accessible by the guest user even before logging in. In our case the Home Page is a visualforce page calling a skuid page hence the access was needed.

Glad you were able to figure it out, Jayesh! Thanks for sharing what you discovered here.

Update:

  • As explained here, Salesforce has extended the ability to opt out of having the guest user changes auto enabled in Summer ‘20 and will start enforcement of the guest user changes in Winter ‘20 without the option to opt out. 
  • Skuid has identified 2 options available to Skuid clients: 
  1. Declarative: Add an additional user license (for Salesforce & Skuid). You can go about configuring a second Salesforce data source (follow this Salesforce doc) that points to your same org with the user credentials hard coded. However, it is important that you make sure this user ONLY has the permissions that they absolutely need. You can then use this data source on your public page. Note: This method requires an additional paid Salesforce user and Skuid license to accomplish. 

  2. Custom code: 

    1. Use triggers as described here

    2. Write Apex code that runs in “system mode” to get around the Salesforce security model. You will need to use Skuid’s model API on the Skuid page.

Thank you for that update, quick question in the Option 1. declarative

It says in the doc :

A few caveats

  • Salesforce permissions are retained in all data source connections; an end user can only see and edit data they have access to in the associated orgs. Ensure that Salesforce user permissions are appropriately set in each external org being accessed.
  • If two people are simultaneously editing an external Salesforce org’s data, the last edit wins.
Regarding Point #2, just to clarify if 2 different people use that skuid page and edit 2 different records at the same time, only one of them would save its own changes?

Hi Dave, in the scenario you described above (2 people, 2 different records, same page), both user’s changes should be saved. We don’t expect that there would be conflicts unless both users were trying to update the same record at the same time.

HI Anna, thank you for answer above. I just set up a sandbox with the Declarative way, and all seems to be setup properly and when i try to create a new page, no problem i can use ‘external SF Data’ source, but it still asks me to OAuth myself…

So either the Instructions are missing something or I did not understand when it comes to login using stored credentials

So the goal of this is to have External users, without logging into SF be able to use a specific skuid page to edit…as i had with guest user license

So ofc i tried to ‘Hard code’ my credentials for now as it’s a test (i’m admin, not sure i can use mine or not).

And here’s the set up

So here are my questions:

  1. How do i set it up so that it uses the Stored credentials above instead of asking me or the public users to OAuth

  2. Once that is done what skuid page do I share to those users? the one I preview from page builder?

Quite confused, sorry if not very clear

Let me know

Thx

Hey,

Anna or anyone that has tried the declarative way, any way to point me in right direction for message above please?

Hi Dave, I’m checking into #1 and will get back to you.

for #2 the deployment process will be the same as usual, using the Salesforce Sites or Community Builder to deploy your page via the Skuid Page Lightning Component or a Visualforce page. https://docs.skuid.com/latest/v2/en/skuid/deploy/

Thank you Anna for helping me with this!

So just to be clear for @2 the same way I was sharing my page with Guest User via VF using sites, this will work the same way, but instead of using the guest user access, it would use the programed credentials?

Thank you

Hi Dave:

For #1, it looks like your Authentication Provider “ExternalSF” may need to be tweaked. Set your Grant Type to Resource Owner Password Credentials in the Auth Provider configuration, and you get the option to specify a Credential Source on the Data Source config screen. Here’s our documentation on the setting.  This is where you enter the username and password for your custom guest user.

#2. Build / update the pages you want to use on your site to use this External SF data source. For existing pages, you can update the XML so that the models are pointing to the new External SF data source rather than the original Salesforce Data Source. This is the page you will share via VF using sites. The site viewer will still be an unauthenticated guest user, but because the pages are using the External SF data source, guest users should be able to access the data according to the permissions you’ve assigned to the custom guest user.  

Again, make sure that the custom guest user only has the view and edit permissions that they absolutely need so that your site remains secure.

Hi, I am wondering if this change will have any impact to passing variables as “params” on public sites?

@Anna

Thank you very much, I finally got it to work mostly! ‘Guest User’ can view and Edit

But Regarding the File upload with the declarative way, it is not working for me.

Whether i try: Method A: In Content Document (with Record Context) or Method B: Attachment to Record  

Guest user has access to record(sharing rule enabled). Stored Credentials used for now are Admin, so not a permission issue.

the ‘Guest user’ sees this message instead of the file upload component


You do not have permission to upload files using the API.

Followed the little instructions I found here: https://docs.skuid.com/latest/en/data/salesforce/?_ga=2.260097357.170701798.1592344177-1892582263.15…

Any ideas?





Hey Dave, glad to hear you’re making progress.

  • what version of Skuid are you using? 12.2.?
  • Remind me what context for this? Force.com Site? Lightning Community?

A couple things to check:

  • If using Skuid-in-Visualforce to deploy in your community, make sure you follow the steps here to make a copy of the FileUpload Visualforce page and allow access to your new community guest user. 
  • This Visualforce Page should also be added to the list of Visualforce for the Force.com Site.

For convenience, here’s also the docs for the upload component https://docs.skuid.com/latest/en/skuid/components/ink/file-upload/.

Hey Anna,

Thanks you for quick response above, as would love to finish this today

I’m on 12.2.19

Context is for Sites

We use Skuid in VF , and Site’s guest user has access to VF page for redirect, and those 3 you mentioned, Upload Image, Social and Include Cloned VF pages (i even updated them in case they got changed in newer version)

Still same error.

Any other idea I can try?

This is my last piece of the puzzle before I attempt all of this in Production.


Does anyone have a sample VF page and APEX code to allow the guest user on a force.com site with skuid to read/create/edit?

I’d rather not have to require all of our customers to add a skuid and salesforce license to keep their force.com sites working.

I tried looking at that option with my Dev, but seem very complex, so we made decision instead of spending $$ on Development and the time it would take to get it done properly, to use the declarative way. More expensive on long run, but faster and simpler deployment!

Hope someone can share that, I would be curious as well



Hi Nicholas, it depends on which variables you’re passing as params. The guest user will need to have access to those variables (e.g. record ids).

Remember
 that there is not distinction between guest users from a security standpoint, so any guest user familiar with the Javascript console can use it to access all the records that are open to guest user access regardless of how Skuid’s conditions are set up.


Has anyone had success in passing login credentials via URL for all browsers? For example it works fine in Chrome but not Safari.

https://yourdomainhere.my.salesforce.com/login.jsp?pw=yourpasswordhere&un=youremailhere

Hi everyone, thanks for your patience here.

Skuid has fixed the issue you raised regarding Guest Users Accessing the File Upload Component for External Salesforce Data Sources in Force.com Site (issue CORE-3089) in the new 13.0.11 and 12.4.19 releases which are now available on the Skuid Releases page. Thanks again for alerting us of this issue! You should no longer get the “You do not have permission to upload files using the API” error.

Best practices for upgrading can be found in Upgrading Skuid on Salesforce. As a reminder, Salesforce does NOT allow reverting back to prior versions of managed packages. Skuid always recommends installing new versions in a non-business critical sandbox environment to test all mission critical functionality before installing into a production environment. We also recommend that you update out of date themes after you upgrade. Please let us know if you continue to encounter any problems with this issue after upgrading.

Branched off conversation re: shared guest user credentials on 13.0.11 http://community.skuid.com/discussion/8015550/13-0-11-guest-user-access-using-stored-credentials