CRUD and FLS is not respected for Community Users in a Standard Tab/Visualforce community if path prefix (URL) starts with the 3-char prefix of a Set
Last updated 2020-01-31 ·Reference W-3687955 ·Reported By 4 users
If your community website URL starts with a 3-letter prefix that is also used by Salesforce, it will cause unexpected behavior in the system because of the overlap.
1. Create a custom object (e.g. TestObject), and add a custom field for demonstration purposes (e.g. TestField).
2. Set the org wide sharing settings for the object to 'Private'.
3. Create a partner user. Using either a permission set or a custom profile give the partner user 'Read' access the object (#1), and no access to the custom field (#1).
4. Create a Standard tab and visualforce community, and set the path prefix (aka URL) to 'MyCommunity'. Add the partner profile from #3 as a member of the community.
5. Create at least one record for the custom object. Hit the 'Sharing' button on the record and share it to the partner user from #3 as 'Read Only'.
6. Login as the partner user.
7. Try to open the record from #5 e.g. https://xxxxxx/MyCommunity/<recordId>. Notice you can view but not edit the record, and the custom field should not be visible [correct behaviour].
8. Go back to the community and change the path prefix to '3MPartner'.
9. Repeat step 6-7. Notice that the user can now edit the record, and the custom field is visible + editable.
You will need to make a modification to your Community Path URL. The prefixes are case-sensitive so any change should work.
Example: Changing the "3MP" prefix for 3MPartner to "3Mp" for "3Mpartner".
Is it Fixed?
Any unreleased services, features, statuses, or dates referenced in this or other public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make their purchase decisions based upon features that are currently available.