Salesforce Winter ’20 Release Notes(Critical Updates and Security Alerts) - Summary

Summary - Salesforce Winter ’20 Release

1. Critical Updates and Security Alerts

• Enable ICU( International Components for Unicode) Locale Formats (Critical Update)
• Restrict Access to @AuraEnabled Apex Methods for Guest and Portal Users Based on User Profile
• Restrict Access to @AuraEnabled Apex Methods for Authenticated Users Based on User Profile
• Use with sharing for @AuraEnabled Apex Controllers with Implicit Sharing
• Enforce Access Modifiers on Apex Properties in Lightning Component Markup
• Enable Partial Save for Invocable Actions

Restrict Access to @AuraEnabled Apex Methods for Guest and Portal Users Based on User Profile

 A guest, portal, or community user can access an @AuraEnabled Apex method only when the user’s profile allows access to the Apex class. This critical update enforces user profile restrictions for Apex classes used by Aura and Lightning web components.

Restrict Access to @AuraEnabled Apex Methods for Authenticated Users Based on User Profile

An authenticated user can access an @AuraEnabled Apex method only when the user’s profile allows access to the Apex class. This critical update enforces user profile restrictions for Apex classes used by Aura and Lightning web components.

Use with sharing for @AuraEnabled Apex Controllers with Implicit Sharing

This critical update changes the behavior of @AuraEnabled Apex controllers that don’t specify with sharing or without sharing to default to with sharing.

Note: This critical update applies only to orgs created after Spring ’18 or orgs that activated the retired “Use without sharing for @AuraEnabled Apex Controllers with Implicit Sharing” critical update that had the opposite effect and set the default to without sharing.

Enforce Access Modifiers on Apex Properties in Lightning Component Markup

This critical update makes Lightning components consistent with the usage of Apex properties in other contexts. For example, a markup expression can no longer access an Apex property with a private Apex getter.

Example : 

issue :- 

@AuraEnabled
 public Integer counter { private/protected get; set; }

Aura component/LWC can’t access the private/protected getter.

fix :-

@AuraEnabled
public Integer counter { get; set; }

Enable Partial Save for Invocable Actions

It only affects external REST API calls to invocable actions done in bulk. With this update, when invoking a set of actions in a single request, a single failed invocable action no longer causes the entire transaction to fail. Without this update, if a single invocable action fails, other invocable actions within the transaction are rolled back and the entire transaction fails.

Note : Most invocable action types that are invoked via REST API are enabled with the partial save functionality. However, even with this critical update, the following action types don’t support partial save functionality:

• Cancel Fulfillment Order
• Cancellation Orders
• Capture Funds
• Content Workspaces
• Create Fulfillment Order
• Create Invoice from Fulfillment Order
• Create Service Report
• External Services
• Generate Work Orders
• Invocable Apex
• Skills-based Routing
• Submit Digital Form Response

New Security Alerts

Automatically Assign Records Created by Guest Users to a Default Owner (Security Alert)
Set up your org so that guest users are no longer automatically the owner of records they create. Instead, when a guest user creates a record, the record is assigned to a default active user in the org, who becomes the owner.

View All Users and Other Permissions Disabled in Guest User Profiles 
Guest users typically don’t need access to view all users in a Salesforce org, the View All Users permission has been disabled in guest user profiles. If you have an org created before Winter ’20, we recommend that you check guest user access and deselect the View All Users permission in all your guest user profiles. To enhance security, we also removed these permissions from the guest user profile: Can Approve Feed Post and Comments, Enable UI Tier Architecture, Remove People from Direct Messages, View Topics, and Send Non-Commercial Email.

Secure Guest Users’ Org-Wide Defaults and Sharing Model (Security Alert)
To increase the security of your Salesforce data, we‘re enforcing private org-wide defaults for guest users. We’re also restricting the sharing mechanisms that you can use to grant record access to guest users. If you have an org created before Winter ’20, we recommend that you review the external org-wide defaults, public groups, queues, and manual sharing that you use to grant access to guest users. Then replace the access previously granted by these sharing mechanisms with guest user sharing rules before the security alert is enforced.

Community Nicknames (Security Alert)

Starting in Winter ’20, community nicknames are enabled by default for new communities and no longer based on user names.