Guest users are unable to upload a file when "Secure Guest User Record Access" is enabled
Sharing , Site.com , Communities
Last updated 3 days ago ·Reference W-7289656 ·Reported By 43 users
Summary
When Secure guest user record access is enabled (https://help.salesforce.com/articleView?id=networks_secure_guest_user_sharing.htm&type=5), guest user may lose the ability to upload a file against records they create. The issue occurs because the private sharing model for guest users does not give more than create permission to the records on which file is being attached. In order to use the lightning:fileUpload component the guest user is required to have a minimum of read access to the parent record
Repro
*Sample Use Case*
There may be use cases where you want to allow guest users to create records but not be able to have read access to them after creation. An example would be if a guest user is creating a case in a community, and needs to be able to upload files for documentation on the problem they’re reporting. You wouldn’t want the guest user to have read access to the case records being created, since that would allow any unauthenticated user to view the case. However, without the read permission guest users are not able to upload a file to the case records they create.
*Repro Steps*
Enable Secure Guest Users’ Record Access. (https://releasenotes.docs.salesforce.com/en-us/winter20/release-notes/rn_networks_guest_user_access.htm) Then:
1. Under Setup > General Settings, check " Allow site guest users to upload files "
2. Create a publicly accessible lightning community or force.com (http://force.com/) site
3. Create a new Lightning component with embedded lightning:fileUpload component. Alternatively use a flow.
Workaround
We recommend that you opt out of guest user security policies before auto-enablement in the Summer ’20 release using the Critical Update in your org. Go to Setup>>Critical Updates>>click activate on Opt Out of Guest User Security Policies Before Summer ’20
Reported By (43)









Is it Fixed?
Any unreleased services, features, statuses, or dates referenced in this or other public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make their purchase decisions based upon features that are currently available.