Over the last few Salesforce releases, we’ve seen incremental changes by Salesforce to make ongoing improvements to the security model. This is in reaction to public security breaches such as SolarWinds along with the successful class action against Salesforce & Hanna Andersson. The goal is to ensure that customers are protected from attack through insecure development and–more often than not–simple use of ‘default’ configurations. These steps appear to be in order to ensure responsibility for any such future does not lie at Salesforce’s door.
With Provar, our customers have been able to use their regression test packs to verify the impact of these updates months ahead of their automatic enforcement. Most changes we catch for our customers allow them to avoid them needing to update their test cases. However, some changes that Salesforce introduces affect the expected result–which means you need to decide whether to accept the new behavior by changing your customisations or by changing your test case expected results.
With Salesforce’s Summer ‘21 release hitting Pre-Release environments, I wanted to highlight some enforced release updates to consider including in your release regression planning that some teams have historically neglected until the Sandbox Preview, or even until Production releases enforce the behavior! Best of all you don’t need to wait until Summer ‘21 hits your sandbox to test them.
History of Recent (Breaking) Changes
Spring ‘20 & Summer ‘20
Many elements of these changes were deferred to allow customers more time during Covid-19 impact to prepare for the changes and avoid disruption to businesses.
- Change: Secure Guest User Record Access.
- Common Impacts: Community Cloud unauthenticated users, Site.com and Lightning Out page failures; external API calls into Salesforce failed to retrieve records; missing data records (no results found) on public Search; Changes to record owner for new records created causing business logic failures.
- How Provar Helped: Regression tests run using Provar TestRunner flagged page and API failures on both Salesforce and non-Salesforce applications under test. Customer support teams were able to rectify the permissions and use Provar to automatically retest the changes had restored the expected behaviour which helped identify any additional areas that were missed during impact assessment.
- Change: Restrict Access to @AuraEnabled Apex Methods for Authenticated Users Based on User Profile. Sounds simple but this change broke a lot of implementations.
- Common Impacts: Aura component Quick Actions, Lightning Page Customisations and Experience (Community) Cloud pages using apex methods failed if the user’s profile or permissions did not include security access to the supporting Apex class. Prior to Winter ‘21 these interactions would have worked.
- How Provar Helped: Permission changes to Profiles are notoriously difficult to deploy unless the related artifact is deployed at the same time. Permission sets can be deployed but need to be granted to users. Provar test cases were used to identify broken UI components in regression tests, by development teams to smoke test that the deployment steps had been completed and to automate the granting of permissions to users via API or UI interactions.
- Change: Require explicit assignment of apex class security to profiles/permission sets.
- Common Impacts: Experience cloud and Site.com page errors, visualforce page failures and processes/flows using invocable Apex broke in production. We even saw failures on the Salesforce Partner Community when raising new Cases.
- How Provar Helped: Regression tests identified page failures with error pages being shown, components not rendering and data values not appearing in custom components using Sandboxes. After rectifying the root cause teams were able to rerun the same Provar tests and repeat the tests for different user profiles to check coverage across all profiles and user types. On production, release teams were able to run a test plan to smoke test the production instance had been updated correctly.
What’s next for Summer ‘21?
Here a summary of upcoming security changes that could potentially break your current Salesforce application customisations when enabled. We strongly recommend you enable these Release Updates in a Sandbox and test the impact before the auto activation deadlines.
|Release Update||Auto-activation||Potential Impact||How Provar can help|
|Disable Access to Non-global Controller Methods in Managed Packages||Summer ‘21||Prior to this change your local Aura development could access Apex methods in 3rd party packages that were not shared as global. After enabling this change you may see aura components fail to display or display errors if they reference non-global methods.||Ensure you have UI test coverage for your custom components which will fail if fields & values cannot be located.|
|Enforce Access Modifiers on Apex Properties in Lightning Component Markup||Summer ‘21||Prior to this change Aura and LWC customisations could reference private attributes in Apex controllers. This change has already started to hit some sandboxes from April 4th 2021.|
This may cause components to fail, errors or values not to appear as expected.
|Ensure you have UI test coverage for your custom components which will fail if fields & values cannot be located.|
|Enforce Data Access in Flow Merge Fields||Summer ‘21||Previously postponed, we’re expecting this to finally be enforced. If affected, Flows that reference fields that the running user does not have permission to access will fail and likely cause a failure email to the flow author.||Ensure you have at least API coverage for your record triggered flows and UI coverage for screen flows and Quick Actions to verify expected behaviour.|
|Require Verification When Experience Cloud Users, Partners, and Customers Change Their Email Address||Summer ‘21||Experience (Community) Cloud users who change their email address will get a generic email notification instead of a company branded one||Customise your email template and use Provar to test the email is received on change of experience cloud user email address. Rerun the same test for a user after deploying the template to production to verify your deployment.|
This list is far from exhaustive and we strongly recommend you review the Draft Release Notes for Summer ‘21 when they become available from April 20th 2021 and stay up to date with amendments until Sandbox Preview starts from May 8th 2021. There are a set of excellent Trailhead Modules on Release Readiness if you are unfamiliar with this activity:
Future Roadmap Insights & Predictions
If we take out our crystal ball we know the following changes are in the Salesforce pipeline, though where they may land, or if they go ahead at all are the ultimate in forward looking statements. Proposed releases versions are always subject to change:
- Dynamic Forms for Standard Objects (Deferred from Spring ‘21 and not in Summer ‘21 pre-release orgs at the time of writing). Provar handles conversion from Page Layouts to Dynamic Forms to ensure you don’t need to amend your test cases unexpectedly but you may wish to amend your test to cater for customisations on field and section visibility rules your Salesforce admins introduce.
- Incremental changes to the Lightning DOM to implement full open shadow DOM. Provar makes every effort to protect you from these changes on standard Salesforce elements, but where you have developed your own Page Objects and Xpaths to test your custom web components you may wish to edit your locators to use a ProvarX field mapping to insulate you from future DOM changes.
- Incremental changes (component by component) to Experience Cloud to render standard components as Lightning Web Components instead of Aura Components. You may today be using AuraBy or Xpath locators to test Experience Cloud sites which may need a simple remapping in the PageObject. We predict this will first be made available as an optional Release Update before being enforced in a future date.
- Order Save Behaviour Update (Enforced in Summer ‘22). Already available to test and customers advised to do this as soon as possible as changes to any customisations may be required. This change is likely to affect any record triggered customisations and business logic on the Order and Order Line Item objects or cause actions to fire more than once.
- Dynamic Interactions is a new declarative solution due to enter Pilot soon for configuring reactive, dynamic components declaratively. We predict this is unlikely to be GA before Spring ‘22 based on previous pilot programs. This could change the contents of one component based on actions and values in another and would be good candidates to add to your test coverage plus identify unnecessary page and component refreshes that may have previously been used in your solution.