As we all know security is always the number 1 priority for Salesforce, so there is a critical update coming to all of our Salesforce environments. This will change the way we provide access to AuraEnabled Apex methods. 
From this post, you can expect –
  • What problem this update is going to solve?
  • When can we expect this update in our environments?
  • Show me the problem
  • Show me the solution(s)
  • Show me all the places where I need to make this change

What problem this update is going to solve?

When we write our Lightning Component or Lightning Web Component today, for any type of server operation, we write Apex classes and annotate the method with @AuraEnabled. We don’t have an option today to restrict the access to our AuraEnabled methods today. 

That is why Salesforce came up with this important critical update where you need to specify who can access your AuraEnabled methods. I will explain this update with one example later in this post.

When can we expect this update in our environments?

This update “Restrict @AuraEnabled Apex methods to authenticated users” came as part of Salesforce’s Winter ’20 release. Enforcement will start on August 9th, 2020.

Show me the problem

Let’s say we have this below Lightning Web Component where we pass a string to the AuraEnable controller class and then class return list of Contacts. Finally component is going to display the list of contacts. Below is the code –
import { LightningElement, track } from “lwc”;
import serachContacts from “@salesforce/apex/ContactSearchController.retriveContacts”;

// datatable columns
const columns = [
{
label: “Name”,
fieldName: “Name”,
type: “url”,
typeAttributes: { label: { fieldName: “Name” }, target: “_blank” }
}
];
export default class CustomSearchInLWC extends LightningElement {
@track searchData;
@track columns = columns;
@track strSearchProdName;

handleContactName(event) {
this.strSearchContactName = event.detail.value;
serachContacts({ strContactName: this.strSearchContactName })
.then((result) => {
this.searchData = result;
})
.catch((error) => {
console.error(error);
});
}
}

Apex Class – ContactSearchController
public with sharing class ContactSearchController {
@AuraEnabled(Cacheable=true)
public static List<Contact> retriveContacts(String strContactName) {
strContactName = ‘%’ + strContactName + ‘%’;
List<Contact> allContacts = [
SELECT Id, Name
FROM Contact
WHERE Name LIKE :strContactName
];
return allContacts;
}
}

This is how the Lightning Web Component will look like –
This setup will work until we enable the below critical update, which you can find under 
Setup -> Release Updates (Beta)
Now if we enable this update and try to access the same page again, we will see the below error in the console window –

From the message, it is very much clear that the user is not having access to ContactSearchController.

Show me the solution(s)

We have two options in today. Either give the permission in the user’s profile level or assign permission sets(selecting the Apex class permission there) to users.

Show me all the places where I need to make this change

Salesforce came up with an unlocked package, named @AuraEnabled Scanner, which you can install by — https://<myDomain>.lightning.force.com/packaging/installPackage.apexp?p0=04tB0000000ZQHxIAO, where <myDomain> is the name of your custom Salesforce domain.

Once installed, open the app by typing https://<myDomain>.lightning.force.com/c/AuraEnabledScanner.app You need to have AuraEnabled Scanner User permission set assigned to you so that you can access this app. 

App will show you all the places where you need to make this change like shown below –


Hope that this post will be helpful. Thank you.