+ Start a Discussion
TJMeadowsTJMeadows 

Salesforce Site - Cannot Upload Attachment

Hello all,

With Salesforce's latest release, it appears to have broken file upload by guest users. I thought it was resolved with this ISSUE (https://trailblazer.salesforce.com/issues_view?id=a1p3A000001YpGnQAK) but that doesn't seem to apply to my problem.

I have a Salesforce Site that hosts a visualforce page to allow guest users to update a custom object record and attach a file, via the [New] button on the Attachments related list. Now, however, that upload attempt sends the user to the Unauthorized page. So, I swapped the related list for an apex:inputFile component. The mere existence of that component causes the Unauthorized page upon submission.

Here's a sample page:
<apex:page controller="customController" doctype="html-5.0" showheader="false" sidebar="false">

	<apex:outputpanel id="responsePnl">
	    <apex:form id="responseFrm">
	        <apex:pageblock id="responseBlock" mode="edit">
	            <apex:pageBlockButtons location="bottom">
	        		<apex:commandButton action="{!submitResponse}" value="Submit" rerender="responsePnl">
	        		</apex:commandButton>
	      		</apex:pageBlockButtons>
                <apex:inputFile value="{!att.body}" filename="{!att.name}"/>
            </apex:pageblock>            
	    </apex:form>
    </apex:outputpanel>
</apex:page>
and here's a sample controller:
public without sharing class customController{
    public Attachment att { get; set; }

	public customController() {
		att = new Attachment(ParentId = 'a5p030000008Opb');
	}

	public PageReference submitResponse() {
		if (att.Name != null) {
            insert att;
        }

        return null;
	}
}


If the inputFile is commented out, there are no issues submitting.
I've checked Files > General Settings > "Allow site gue users to upload files"
The Site Guest Profile has Modify All permissions to the custom object.
Secure Guest User Record Access has been enabled and disabled.
Sharing Setting created to enable Read access to the parent object.

Is there something I overlooked with the new Guest permission enforcement?

Other notes:
inputFile causes failed submission everytime.
Attachment related list fails after going through the file upload wizard
Attachment relate list will allow successful update to the custom object if no file upload is attempted.
 

Best Answer chosen by TJMeadows
TJMeadowsTJMeadows
Yes, they offered clarity on the issue and provide the new guidelines for how to allow guest users to upload files.
Salesforce Tier3 Support:
- Unfortunately after further investigation I don't think there's any way to allow a guest user the ability to be able to attach a file to the record via the standard Notes and Attachments related list.
- The reason for this is due to the introduction of guest user sharing rules.
- Prior to the recent guest user security changes that have been introduced in Summer 20 and Winter 21, it used to be possible to provide read/write record access (different from object access) to the guest user.
- With guest user sharing rules, however, write access to a record is no longer possible via sharing rules. Only Read access can be given. So when the user attempts to attach a file through the related list, they are essentially trying to write a change to the parent record which in the customer's case is the Quote Response record. But via the guest user sharing rule, they only have read access to the record.
- Tried to find a way to workaround this but there's no way to give temporary write access to the guest user that I could find.
- As we will be enforcing the Guest user security changes moving forward in Winter 21 and Spring 21, they will need to do the custom route using apex:input file for VF pages or lightning:fileupload for lightning components or LWCs.

One thing to note is that in my quick test implementation, I forgot about the rule that you cannot have a rerender action combined with a visualforce input. VF developers will need to use apex:input file and handle the data encoding via code. The same may apply to any LWC implementations.

All Answers

ShirishaShirisha (Salesforce Developers) 
Hi,

Greetings!

The known bug was fixed in the Summer'20 release and the guest user should be able to upload the file successfully even after the "Secure Guest user Record Access" permission enabled.

I would suggest you to narrow down the code just to upload the file as the guest user and see,if the issue is persists.If yes,then I would suggest you to reach out to the salesforce.com support to investigate further on this.

Kindly mark it as best answer if it helps so that it can help others in the future.

Warm Regards,
Shirisha Pathuri
TJMeadowsTJMeadows
Thanks, Shirisha. I updated the controller to insert an attachment and the error persisted. I simultaneously posted this issues on the developer forums and with Salesforce support. They have replied so we are working through the issue. I will update with the solution once that case comes to a close.

Here's the controller. The accompanying page is a single commandButton that calls submitResponse();
public without sharing class customController{
    public Attachment att { get; set; }
	
	public customController() {
		att = new Attachment(ParentId = 'a5p030000008Opb', Name = 'Test Name');
	}

	public PageReference submitResponse() {
        if (att.Name != null) {
            insert att;
        }        

        return null;
	}
}

 
JeffreyKranzJeffreyKranz
Was support able to provide a resolution to this issue for you?
TJMeadowsTJMeadows
Yes, they offered clarity on the issue and provide the new guidelines for how to allow guest users to upload files.
Salesforce Tier3 Support:
- Unfortunately after further investigation I don't think there's any way to allow a guest user the ability to be able to attach a file to the record via the standard Notes and Attachments related list.
- The reason for this is due to the introduction of guest user sharing rules.
- Prior to the recent guest user security changes that have been introduced in Summer 20 and Winter 21, it used to be possible to provide read/write record access (different from object access) to the guest user.
- With guest user sharing rules, however, write access to a record is no longer possible via sharing rules. Only Read access can be given. So when the user attempts to attach a file through the related list, they are essentially trying to write a change to the parent record which in the customer's case is the Quote Response record. But via the guest user sharing rule, they only have read access to the record.
- Tried to find a way to workaround this but there's no way to give temporary write access to the guest user that I could find.
- As we will be enforcing the Guest user security changes moving forward in Winter 21 and Spring 21, they will need to do the custom route using apex:input file for VF pages or lightning:fileupload for lightning components or LWCs.

One thing to note is that in my quick test implementation, I forgot about the rule that you cannot have a rerender action combined with a visualforce input. VF developers will need to use apex:input file and handle the data encoding via code. The same may apply to any LWC implementations.
This was selected as the best answer