LWC suddenly fails: “You don’t have access to APEX class…”

APEX, Salesforce

This post is also available in: Español (Spanish)

If some of your custom Lightning Web Components have started to fail in a subtle way, and if your Chrome console is throwing a 500 error to your users, then this might be the problem you are encountering.

Why is this happening now?

By now I mean September-October 2020. And this coincides with the last Winter ’21 Salesforce Update. In case you missed it, in Summer ’20 critical updates they included this:

But they also postponed it to Winter 21 release, which is what brought us here today. Before this update, all classes were applying “not sharing” as a default. And now, this has changed into “sharing” rules as a default. Which causes all this mess, in case you didn’t consider it when developing in the first place.

What does this mean?

Roughly speaking, it means that all components using APEX controllers with the @auraEnabled decorator must literally indicate if the class is accessible by permissions by the executor, or if should run in System context without considering any permission restriction.

The way to do this is by using the “with sharing” or “without sharing” words when declarating a new class. For instance:

public with sharing class IdeasHelper { //Enforcing the sharing rules
 @AuraEnabled
    public static void createVote(String IdeaId){
    
        try {
            sonn_Idea_Vote__c newVote = new sonn_Idea_Vote__c();
            newVote.sonn_Idea__c = IdeaId;

            insert newVote;
        } catch (Exception e) {

            String errorMsg = e.getMessage();
            String pureErrorMsg = errorMsg.substringAfter('_EXCEPTION,');
            pureErrorMsg = pureErrorMsg.Substring(0, (pureErrorMsg.length()-4));
            throw new AuraHandledException(pureErrorMsg);
        }

    }
}

When you specify “with sharing” means that the class will be executed considering the permissions granted to the user that executes it. So, if a user clicks on the “Vote” button, but does not have specific access to the Ideas Helper APEX class, it will crash. It can fail in several ways:

This is obviously due to security reasons, ir order to not to expose delicate information to users that shouldn’t see it. Specially in web services.

Long story short, you can solve this in three ways:

  1. Using ‘without sharing’ rule when declaring the class. This means that the class will completely ignore the permissions granted to the executor and will directly run in system context (like omnipotent). When applying this measure be aware of the implication this has to the security of your code and org, and who will potentially access your information.
  2. Using ‘with sharing’ and specifically granting permissions. No mysteries here, once you deploy your APEX controller, you must also deploy permissions to user profiles o permission sets. Or, once you deployed them, grant them in production. For more details, see the next point “Granting access to an APEX class”.
  3. Creating a specific permission set and deploying it in the meta XML of your component. See this wonderful post about how to do that.

Granting access to an APEX class

This is the easy and quick way for grating access through UI to an specific user or user role:

  1. Click the engine icon upper right corner and select “Setup”
  2. Open the “APEX Classes” menu, and locate the class you need to access to:

3. Click open your class, and click on the security button.

4. Grant the access to the user profiles you consider that will be using the class. Be as restrictive as you can as rule of thumb.

5. Hit ‘Save’ and you are done.

Some documentation about this issue

To extend your knowledge about this issue an how it works, I recommend addressing to the following documentation:

Peace and Code!

Nadine.