Lightning components can use public Apex controllers from installed packages even if they are not global
Last updated 2017-05-09 ·Reference W-3444541 ·Reported By 3 users
Summary
Lightning components can use public Apex controllers from installed packages even if they are not global.
Have a public Apex class in a package and I install it in a subscriber org.
If you try to access this class in the subscriber org you get Compile Error: Type is not visible. As expected since the class is not global.
However, you will be able to call its methods if this class is the controller of a Lightning component created in the subscriber org. This is a not expected behavior.
Repro
1)In a Dev org set the namespace to SecIssue and create a managed package.
2) Add to the managed package the following 2 Apex Classes:
public class ApexPublicController {
@AuraEnabled public static String getSomething() {return 'HelloFromPublicApex'; }
}
@IsTest
public class ApexPublicControllerTest {
static testMethod void myTest() {ApexPublicController.getSomething() ;}
}
3) Upload a version of the managed package and copy its install url
4) Install the managed package in a Subscriber org
5) Verify that in the subscriber org you cannot invoke the public method: for instance if you create this Apex class:
public class ApexInSub {
public static String getSomething() {return SecIssue.ApexPublicController.getSomething() ; }
}
You will get: Error: Compile Error: Type is not visible: apexpubliccontroller at line 2 column 38
6) Create a Lightning component:
<aura:component controller='SecIssue.ApexPublicController' implements='flexipage:availableForAllPageTypes' access='global'>
<ui:button label="Call server" press="{!c.echo}"/>
</aura:component>
7) paste the following in the controlller
({
echo : function(cmp) {
var action = cmp.get("c.getSomething");
action.setCallback(this, function(response) {
var state = response.getState();
if (state === "SUCCESS") {
alert(response.getReturnValue());
} else {
console.log("Unknown error");
}
});
$A.enqueueAction(action);
}
})
8) You can test this component (for instance adding it to a Lightning page using the App builder) and you can verity that when you press the button the alert with text "HelloFromPublicApex" is shown
Expected Behavior:
================
According to documentation: "The public access modifier declares that this class is visible in your application or namespace" but currently namespace can be used it from a different organization as shown in the example above.
Workaround
None.
Reported By (3)
Is it Fixed?
Any unreleased services, features, statuses, or dates referenced in this or other public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make their purchase decisions based upon features that are currently available.
