Skip to main content

Issue

In the Spring ‘20 Salesforce release, Salesforce is modifying what guest users are able to do using out of the box Salesforce in order to secure communities and force.com sites. As noted in this documentation and further explained in this documentation, although the changes are part of the Spring ‘20 release, they will not be automatically enabled in orgs until March 1st. 


Who Will be Affected by This:

Any clients who utilize guest users in your Salesforce org may be affected by this depending on what your guest users do.


How Does this Affect My Use of Skuid and What is Skuid Doing About It? 

Salesforce’s change also impacts Skuid’s File Upload component for site guest users. The Skuid Product Engineering team is working on a product change to restore the ability for Guest Users to use Skuid’s File Upload component to upload attachments to records. This change will be available in 11.2.30 and 12.2.14. 


What Do I Need to Do? 

As soon as possible, any clients who utilize guest users in your Salesforce org need to thoroughly test all functionality that your guest users can currently do in your prod org against what they can do in a sandbox with the ”Secure guest user record access” enabled

1. If you are using Skuid’s File Upload component for site guest users: 

  1. Upgrade a sandbox to either 11.2.29 or 12.2.13 per these instructions. This way, you will be prepared to move quickly when the upcoming Skuid release that contains the fix is available (11.2.30 or 12.2.14) 

  2. Thoroughly test that version to ensure there are no adverse changes to any of your mission critical functionality

  3. Upgrade that sandbox to 11.2.30 or 12.2.14 when it is available and test again

  4. Upgrade your production org to 11.2.30 or 12.2.14 when everything checks out in your sandbox. 

Please note that even on Skuid version 11.2.30 or 12.2.14, you will still need to use Salesforce’s new Guest User Sharing Rules to grant record level access to the records your Guest Users should be able to access. 

For example, if your Guest Users currently use Skuid to create a record and then upload a file as an attachment to that record, you will need to create one or more Guest User Sharing Rules to share these newly-created records to your site’s Guest User. If you do not create the requisite sharing rules, you will still be unable to use Skuid’s File Upload component to upload attachments to those records, even with 11.2.30 or 12.2.14 installed.

2. If your guest users need to access records they have created, such as allowing Guest Users to create a record and then additional “detail” records related to that first record, you have several options: 

  1. Try to achieve the record access for your site guest user using Site Guest User Sharing Rules

  2. Modify your Skuid Page to either 

    1. Invoke Apex that runs an update in a “without sharing” context to perform the record linkages. 

    2. Run a Flow that runs in system context. 

    3. For more details on a or b, please see this article on how Salesforce recommends that customers write Apex to work outside of the security model you have configured for your Org.

  3. If you continue to have problems either:

    1. Open a case with Salesforce detailing your use case and how it works currently in winter ’20 and what you need it to continue to do. Our understanding is that Salesforce has a task force to help clients work through any issues related to this release.

    2. Sign up for Salesforce’s office hours to ask questions of the experts live. 


Other Salesforce Resources That May be Helpful

Here are also some resources Salesforce provided: 

Salesforce Winter ‘20 release notes also include changes regarding guest users: 


Hi all, just wanted to close the loop here — the Support team followed up with Dave via email.


I had a similar issue as Bill Fox above. But not sure how or why a guest user is trying to access a skuid page. We do not allow any functionality to guest user. All they see is a login page. Any insights on why a skuid page would be exposed before logging in?


I figured out the issue. Salesforce apparently is checking if the Community Home page is accessible by the guest user even before logging in. In our case the Home Page is a visualforce page calling a skuid page hence the access was needed.


Glad you were able to figure it out, Jayesh! Thanks for sharing what you discovered here.


Update:


  • As explained here, Salesforce has extended the ability to opt out of having the guest user changes auto enabled in Summer ‘20 and will start enforcement of the guest user changes in Winter ‘20 without the option to opt out. 

  • Skuid has identified 2 options available to Skuid clients: 

  1. Declarative: Add an additional user license (for Salesforce & Skuid). You can go about configuring a second Salesforce data source (follow this Salesforce doc) that points to your same org with the user credentials hard coded. However, it is important that you make sure this user ONLY has the permissions that they absolutely need. You can then use this data source on your public page. Note: This method requires an additional paid Salesforce user and Skuid license to accomplish. 


  2. Custom code: 

    1. Use triggers as described here


    2. Write Apex code that runs in “system mode” to get around the Salesforce security model. You will need to use Skuid’s model API on the Skuid page.





Thank you for that update, quick question in the Option 1. declarative


It says in the doc :


A few caveats

  • Salesforce permissions are retained in all data source connections; an end user can only see and edit data they have access to in the associated orgs. Ensure that Salesforce user permissions are appropriately set in each external org being accessed.

  • If two people are simultaneously editing an external Salesforce org’s data, the last edit wins.

Regarding Point #2, just to clarify if 2 different people use that skuid page and edit 2 different records at the same time, only one of them would save its own changes?


Hi Dave, in the scenario you described above (2 people, 2 different records, same page), both user’s changes should be saved. We don’t expect that there would be conflicts unless both users were trying to update the same record at the same time.


HI Anna, thank you for answer above. I just set up a sandbox with the Declarative way, and all seems to be setup properly and when i try to create a new page, no problem i can use ‘external SF Data’ source, but it still asks me to OAuth myself…


So either the Instructions are missing something or I did not understand when it comes to login using stored credentials


So the goal of this is to have External users, without logging into SF be able to use a specific skuid page to edit…as i had with guest user license


So ofc i tried to ‘Hard code’ my credentials for now as it’s a test (i’m admin, not sure i can use mine or not).


And here’s the set up


So here are my questions:



  1. How do i set it up so that it uses the Stored credentials above instead of asking me or the public users to OAuth




  2. Once that is done what skuid page do I share to those users? the one I preview from page builder?



Quite confused, sorry if not very clear


Let me know


Thx


Hey,


Anna or anyone that has tried the declarative way, any way to point me in right direction for message above please?


Hi Dave, I’m checking into #1 and will get back to you.

for #2 the deployment process will be the same as usual, using the Salesforce Sites or Community Builder to deploy your page via the Skuid Page Lightning Component or a Visualforce page. https://docs.skuid.com/latest/v2/en/skuid/deploy/


Thank you Anna for helping me with this!


So just to be clear for @2 the same way I was sharing my page with Guest User via VF using sites, this will work the same way, but instead of using the guest user access, it would use the programed credentials?


Thank you


Hi Dave:


For #1, it looks like your Authentication Provider “ExternalSF” may need to be tweaked. Set your Grant Type to Resource Owner Password Credentials in the Auth Provider configuration, and you get the option to specify a Credential Source on the Data Source config screen. Here’s our documentation on the setting.  This is where you enter the username and password for your custom guest user.


#2. Build / update the pages you want to use on your site to use this External SF data source. For existing pages, you can update the XML so that the models are pointing to the new External SF data source rather than the original Salesforce Data Source. This is the page you will share via VF using sites. The site viewer will still be an unauthenticated guest user, but because the pages are using the External SF data source, guest users should be able to access the data according to the permissions you’ve assigned to the custom guest user.  


Again, make sure that the custom guest user only has the view and edit permissions that they absolutely need so that your site remains secure.


Hi, I am wondering if this change will have any impact to passing variables as “params” on public sites?


@Anna

Thank you very much, I finally got it to work mostly! ‘Guest User’ can view and Edit

But Regarding the File upload with the declarative way, it is not working for me.

Whether i try: Method A: In Content Document (with Record Context) or Method B: Attachment to Record  

Guest user has access to record(sharing rule enabled). Stored Credentials used for now are Admin, so not a permission issue.

the ‘Guest user’ sees this message instead of the file upload component


You do not have permission to upload files using the API.

Followed the little instructions I found here: https://docs.skuid.com/latest/en/data/salesforce/?_ga=2.260097357.170701798.1592344177-1892582263.15…

Any ideas?






Hey Dave, glad to hear you’re making progress.

  • what version of Skuid are you using? 12.2.?

  • Remind me what context for this? Force.com Site? Lightning Community?


A couple things to check:

  • If using Skuid-in-Visualforce to deploy in your community, make sure you follow the steps here to make a copy of the FileUpload Visualforce page and allow access to your new community guest user. 

  • This Visualforce Page should also be added to the list of Visualforce for the Force.com Site.


For convenience, here’s also the docs for the upload component https://docs.skuid.com/latest/en/skuid/components/ink/file-upload/.


Hey Anna,

Thanks you for quick response above, as would love to finish this today

I’m on 12.2.19

Context is for Sites

We use Skuid in VF , and Site’s guest user has access to VF page for redirect, and those 3 you mentioned, Upload Image, Social and Include Cloned VF pages (i even updated them in case they got changed in newer version)

Still same error.

Any other idea I can try?

This is my last piece of the puzzle before I attempt all of this in Production.



Does anyone have a sample VF page and APEX code to allow the guest user on a force.com site with skuid to read/create/edit?


I’d rather not have to require all of our customers to add a skuid and salesforce license to keep their force.com sites working.


I tried looking at that option with my Dev, but seem very complex, so we made decision instead of spending $$ on Development and the time it would take to get it done properly, to use the declarative way. More expensive on long run, but faster and simpler deployment!

Hope someone can share that, I would be curious as well




Hi Nicholas, it depends on which variables you’re passing as params. The guest user will need to have access to those variables (e.g. record ids).

Remember
that there is not distinction between guest users from a security standpoint, so any guest user familiar with the Javascript console can use it to access all the records that are open to guest user access regardless of how Skuid’s conditions are set up.



Has anyone had success in passing login credentials via URL for all browsers? For example it works fine in Chrome but not Safari.


https://yourdomainhere.my.salesforce.com/login.jsp?pw=yourpasswordhere&un=youremailhere


Hi everyone, thanks for your patience here.


Skuid has fixed the issue you raised regarding Guest Users Accessing the File Upload Component for External Salesforce Data Sources in Force.com Site (issue CORE-3089) in the new 13.0.11 and 12.4.19 releases which are now available on the Skuid Releases page. Thanks again for alerting us of this issue! You should no longer get the “You do not have permission to upload files using the API” error.


Best practices for upgrading can be found in Upgrading Skuid on Salesforce. As a reminder, Salesforce does NOT allow reverting back to prior versions of managed packages. Skuid always recommends installing new versions in a non-business critical sandbox environment to test all mission critical functionality before installing into a production environment. We also recommend that you update out of date themes after you upgrade. Please let us know if you continue to encounter any problems with this issue after upgrading.


Branched off conversation re: shared guest user credentials on 13.0.11 http://community.skuid.com/discussion/8015550/13-0-11-guest-user-access-using-stored-credentials


Reply