Critical update - Restrict Access to @AuraEnabled Apex Methods for Guest and Portal Users Based on User Profile - Answers - Salesforce Trailblazer Community
Trailblazer Community
Ask Search:
Jai MongaJai Monga 

Critical update - Restrict Access to @AuraEnabled Apex Methods for Guest and Portal Users Based on User Profile

Hi,
How can an admin find out which Apex classes need to be enabled for profiles? I have checked with SF support and they have asked me to check with our development team but we don't have a development team.
Best Answer chosen by Jai Monga
Jonathan WieselJonathan Wiesel
Hi Jaideep,

Usually you'll need to identify if you have Aura components or Lightning Web Components in your org. A common way those components communicate with the Salesforce backend is using Apex methods (located in Apex classes), these methods must be annotated with the @AuraEnabled annotation to be accesible by such components.

The difficult part for an admin (if doesn't have technical background or experience) would be identifying the Apex classes referenced by those components, I'll try my best on explaining it.

​​​​​For Aura you'll need to look for the following in the component markup
 
<aura:component controller="ServerSideController">
That ServerSideController is an Apex class that will probably have methods annotated with AuraEnabled, then make sure users have access to it.

https://developer.salesforce.com/docs/atlas.en-us.lightning.meta/lightning/controllers_server_actions_call.htm

For LWC you'll need to check the JS files and look for entries like the following in the code
 
import apexMethodName from '@salesforce/apex/Namespace.Classname.apexMethodReference';

That Classname is an Apex class that will have an apexMethodReference method annotated with @AuraEnabled, so also makr sure that users have permissions for that class.

https://developer.salesforce.com/docs/component-library/documentation/en/lwc/lwc.apex

​For components in managed packaged, since you cannot peek at the code you won't be able to determine it easily; however usually these managed packages include permission sets with the appropriate permissions on the Apex classes, so you'll only need to makr sure people has assigned those packages' permission sets.

​​​​​I hope is not too confusing and will be enough to be handled without much technical expertise.

All Answers

Jonathan WieselJonathan Wiesel
Hi Jaideep,

Usually you'll need to identify if you have Aura components or Lightning Web Components in your org. A common way those components communicate with the Salesforce backend is using Apex methods (located in Apex classes), these methods must be annotated with the @AuraEnabled annotation to be accesible by such components.

The difficult part for an admin (if doesn't have technical background or experience) would be identifying the Apex classes referenced by those components, I'll try my best on explaining it.

​​​​​For Aura you'll need to look for the following in the component markup
 
<aura:component controller="ServerSideController">
That ServerSideController is an Apex class that will probably have methods annotated with AuraEnabled, then make sure users have access to it.

https://developer.salesforce.com/docs/atlas.en-us.lightning.meta/lightning/controllers_server_actions_call.htm

For LWC you'll need to check the JS files and look for entries like the following in the code
 
import apexMethodName from '@salesforce/apex/Namespace.Classname.apexMethodReference';

That Classname is an Apex class that will have an apexMethodReference method annotated with @AuraEnabled, so also makr sure that users have permissions for that class.

https://developer.salesforce.com/docs/component-library/documentation/en/lwc/lwc.apex

​For components in managed packaged, since you cannot peek at the code you won't be able to determine it easily; however usually these managed packages include permission sets with the appropriate permissions on the Apex classes, so you'll only need to makr sure people has assigned those packages' permission sets.

​​​​​I hope is not too confusing and will be enough to be handled without much technical expertise.
This was selected as the best answer
Jai MongaJai Monga
Thanks Jonathan! That is very useful information.
Anthony IorioAnthony Iorio
Hi Jonathan, once I have located the Aura components how do I then give users access to those specific components?

Do I need to create a permission set, enable only those specific apex classes, and then assign that permission set to all users?

Thanks,
Jonathan WieselJonathan Wiesel
Hi Anthony,

You don't give permissions on the components themselves but to the Apex classes they reference.

You can either enable them via profiles or permission sets, depending what would be more convenient and logic depending on each use case.
Anthony IorioAnthony Iorio
Good to know. Thanks for the insight!

Also, would there be an issue with giving everyone access to these classes? Would their profiles still restrict them from accessing data and apps that they shouldn't?
Jonathan WieselJonathan Wiesel
@Anthony, a possible security issue on data exposure could happen if said classes don't respect platform sharing capabilities, for example, if the class uses the without sharing keyword the queries that said class will execute will run as system mode instead of user mode therefore returning more data than what the user may have permissions to see
sanjukta ghoshsanjukta ghosh
Hi Jonathan,
Classes which are in without sharing mode containing @AuraEnabled methods, do we need to add those as well in the profiles to access the methods or this update is just applicable for with sharing classes?
Jonathan WieselJonathan Wiesel
Hi Sanjukta,

You'll probably need to add them, since the accesor keyword only determines if the code should run respecting the current user sharing permissions, not the access to the class per se.
Hana LokeyHana Lokey
Hi Jonathan, 

Thanks for trying to explain. I've been an admin for a while but still pretty new to Apex classes. I'm still a bit lost. When you said " ​​​​For Aura you'll need to look for the following in the component markup" what does that mean? Where is the markup?

When I click on the name of an Apex class this is what I see:User-added image

Thanks