[SalesForce] LightningSelfRegisterController appears to be running in User context; shouldn’t it run in System context

I'm customizing the LightningSelfRegisterController shipped with Lightning Communities. I was surprised to learn that a query didn't return the results I was expecting, seamingly due to the context in which the controller was running.

It's my understanding that standard Apex controllers run in User context, and custom controllers (and most Apex with a few exceptions) run in System context. Since LightningSelfRegisterController doesn't extend any standard controller, I assumed I'd be working in the System context, but I was wrong.

In the selfRegister method I did this:

@AuraEnabled
public static String selfRegister(String firstname ,String lastname, String email, String password, String confirmPassword, String accountId, String regConfirmUrl, String extraFields, String startUrl, Boolean includePassword) {

    System.debug('In LightningSelfRegisterController.selfRegister');
    System.debug('Running User: ' + UserInfo.getUserId());

    // ...
}

This returned the ID of the Guess User for the Community. My theory is my queries are running in the context of the Community Guest User, and not system. Actually, I'm not certain what UserInfo.getUserId() would return if running in System context. Running my queries as Admin, I get the results I expect. When they they from the LightningSelfRegisterController, I get no results for the exact same query.

So is there anything special about LightningSelfRegisterController that would cause it to run in User context, and thus enforce that user's permissions/FLS/sharing rules?

What makes LightningSelfRegisterController different than any other custom class called on by a custom Lightning Component?

Best Answer

Whenever you create a Community or Force.com site a New Profile and New User is created. Its called as Guest User.

When you do any operation on-site or community without log in , this is done by a collective user called as Guest User. Once you log in and get the session, then the logged in User's session is used to perform the operation.

So to answer, LightningSelfRegisterController needs to be without sharing so that your SOQLs and DML's to work.

A guest user profile is designed for public users who access your community. Before you publish your community, create a guest user profile so that your customers can view and interact with your community before they sign in. When Communities is enabled, guest users have access to public pages in your communities. However, to allow guest users to view or submit data to a standard or custom object, modify the object’s permission in the community’s guest user profile. Each community has a separate Guest User license, so you can control access to objects (including lookup fields) on a per-community basis.

Src: https://developer.salesforce.com/docs/atlas.en-us.community_templates.meta/community_templates/rss_config_guest_user_profile.htm

Best Answer

Related Solutions

[SalesForce] Custom Controllers – effect of running in System mode

[SalesForce] Salesforce UserRecordAccess query not returning results

Related Topic