Happy Business Starts Here

Authorization Required Error when loading Zuora Payment Method Capture Unmanaged package.

Jyoti_Sinha
Support SME

Authorization Required Error when loading Zuora Payment Method Capture Unmanaged package.

Subject: Authorization Required Error when loading Zuora Payment Method Capture Unmanaged package.

 

Issue Summary:

See updates in Red [12/22/20]

 

For customers that did not opt out of the Summer ‘20 security release from Salesforce are experiencing the below error when trying to load the Zuora Payment Pages that is part of the Zuora Payment Method Capture Unmanaged package.

Screen Shot 2020-12-22 at 5.26.45 PM.png

With the Summer ‘20 release, Salesforce has added new security settings around the Guest user profile to restrict the access that guest users have to your Salesforce Org. For more information on the release, please see the link found here.

 

Customers can still opt out of these security updates, but with the Winter ’21 Salesforce release, Salesforce will enforce the new security policies around guest users.

 

Note: As discussed in the Winter ‘21 Salesforce release notes, following a “secure by default” approach (e.g. applying the principle of least privilege) is always recommended, and you should review the relevant Org, Object, Field, and Record permissions to be sure they match your security privacy and risk profile. Zuora recommends guest privilege access adheres to the latest guidelines and best practices defined by SalesForce, as described here.

 

Customers utilizing the Zuora Customer Payment Method Capture unmanaged package will need to make updates due to the following security changes:

  1. External org-wide settings will now be defaulted to private.
  2. Guest Users can’t have more than read data.
  3. Guest Users can’t have the update and delete permissions
  4. Guest Users can’t have View All and Modify All permissions.

Required Changes:

For the Guest User, grant Read access to the following objects / Setup Guest Sharing Rules (No Edit or Delete Access is allowed):

 

a. Payment Pages Settings – Read access to the object

           

  1. Read Access to all fields
  2. Please remove any edit access        

b. Quotes – Read access to object only if Quote Information table is being displayed

     

  1. Please provide read access under the field level security for the site profile to any quotes attributes being displayed in the Quote Information table.
  2.  On the guest user profile under Enabled Custom Setting Definitions Access provide  access to “Zuora Customer HPM Quote Field” custom setting.
  3. Implement the appropriate security controls for the sensitivity of your data.

c. If enabled, remove “Lightning Features for Guest Users” from the Guest user.

 

For "Payment Pages Settings" there needs to be an added Sharing Rule with type "Guest user access, based on criteria". The criteria should Component Name equals {ComponentName} where the final part matches the value in Custom Settings->Zuora Customer HPM Setting->Payment Page Component Name.

 

Screen Shot 2020-12-22 at 5.36.53 PM.png

 

Apex Classes will need to be updated to use “without sharing”. This will allow for Guest users to trigger quote updates through system context. Please review the following Apex Classes:

    1. Z_PaymentPage_IHostedPageLitePlugin
    2. Z_PaymentMethodCaptureUtil
    3. Z_PaymentPage_GoNextPlugin
    4. Z_PaymentMethodCaptureController

For Salesforce upcoming Security updates, please review the security alerts section under setup. Please review all required changes for Salesforce upcoming release.

Screen Shot 2020-12-22 at 5.37.47 PM.png

 

Note: Zuora recommends guest privilege access adheres to the latest guidelines and best practices defined by SalesForce, as noted here.

 






If you found my answer helpful, please give me a kudo ↑
Help others find answers faster by accepting my post as a solution √

3 REPLIES 3
Manojna
Zuora Support

Re: Authorization Required Error when loading Zuora Payment Method Capture Unmanaged package.

In addition to the above, if you are using Salesforce Lightning and have additional custom controllers developed for the package which use @AuraEnabled methods

 

User profiles should be given explicit access to those classes because of the below critical update with Winter'21 release

https://admin.salesforce.com/blog/2020/critical-update-ensure-users-have-access-to-auraenabled-metho...

 

 






If you found my answer helpful, please give me a kudo ↑
Help others find answers faster by accepting my post as a solution √

juhno-mann
Savvy Scholar

Re: Authorization Required Error when loading Zuora Payment Method Capture Unmanaged package.

Hi Jyoti,

 

We've made these changes to our guest user profile, but we also needed to add a sharing rule for the guest user on the Zuora Quotes objects so we don't get this error. The problem is this makes the data available to the public; specifically, the notes and attachments object. 

 

Any idea on what we are doing wrong? Do you think it matters that our Zuora Quotes package is still on version 7.0.2?

 

Thank you!

Manojna
Zuora Support

Re: Authorization Required Error when loading Zuora Payment Method Capture Unmanaged package.

Please check the original post that has the latest information as of 12/22/20 06:16PM PT






If you found my answer helpful, please give me a kudo ↑
Help others find answers faster by accepting my post as a solution √