Patch Notes for CloudCraze 4.5

Enabled the Secure attribute for the following cookies:

• apex__cc_anonymous_Country
• apex__cc_anonymous_Currency
• apex__cclgtkn
• apex__currCartId
• apex__effacc
• apex__CSRportalUserId

This attribute ensures that the managed package sends cookie data securely through an encrypted request over HTTPS protocol. For more information, see:

• (Mozilla Developers) Using HTTP cookies
• (Open Web Application Security Project) Secure Cookie Flag

Updated the default ccrz.cc_hk_UserInterface extension point class to distribute the latest stable, secure versions of jQuery (3.5.1) and jQuery Migrate (3.3.0).

UPGRADE IMPACT: This upgrade also introduces a breaking change where non-void HTML elements that use self-closing tags, such as <div/>, no longer render. This HTML compatibility change affects the default Handlebars templates included in the managed package, and can affect front-end extensions or customizations that you've already developed. For more details about the jQuery upgrade and the impact on the HTML used in your storefront, see the Salesforce Knowledge article, Upgrade to jQuery 3.5.1 in B2B Commerce for Visualforce Spring ’20 (Version 4.12) or Earlier.

Fixed potential security vulnerabilities in some extension point classes.

UPGRADE IMPACT: This fix deprecates the ccrz.cc_hk_EffectiveAccount.fetchAccountData() method.

Fixed several issues that enhance the security of CloudCraze custom objects against unauthorized access. These fixes don’t require any action after you upgrade.

This patch removes a requirement to have the View All Users permission enabled on your storefront’s guest user profile. This permission was previously required to work around a Salesforce Communities security fix. If you previously enabled this permission, update your guest user profile to disable the View All Users permission. This change ensures that you’re providing the least privilege to guest users to help keep your storefront data secure, while still supporting self-registration.

Fixed an issue where a guest buyer lost their cart. This issue occurred when the following conditions were true:

• The Redirect To Login configuration of the User Profile (Registration) module (ur.dirlogin) is TRUE.
• The guest buyer registered for a storefront account after clicking Checkout from the Shopping Cart page.

Fixed an issue where the ccrz.ccApiCart.addTo method didn't create a new cart when both of the following conditions were true:

• The call was in the context of a buyer shopping on behalf of another account.
• The call didn't specify a cart ID.

Fixed an issue where a SOQL row governor limit occurred when both of the following conditions were true:

• The buyer could access to all carts in the org.
• A call to ccrz.ccApiCart.addTo method didn't include the cart ID.

UPGRADE IMPACT: This fix applies a default limit of 5,000 rows for any API fetch method. If your subscriber code includes any API queries that don't specify a limit, but you want to return more than 5,000 rows, add the ccrz.ccService.QUERYLIMIT key.

Fixed an issue where the Product List page didn't sort by Newest correctly.

UPGRADE IMPACT: This fix updates the ccrz.ccApiProduct.fetch return data so that the ccrz__StartDate__c field is included in a ccrz.ccApi.SZ_S data request instead of ccrz.ccApi.SZ_L.

Updated the ccrz.ccApiProduct.fetch data size request return data to improve performance.

UPGRADE IMPACT: This fix updates the ccrz.ccApiProduct.fetch return data so that:

• The ccrz__LongDesc__c and ccrz__LongDescRT__c fields are included in a ccrz.ccApi.SZ_XL data request instead of ccrz.ccApi.SZ_L.
• The Product_Inventory_Items__r related query is included in a ccrz.ccApi.SZ_XL data request instead of ccrz.ccApi.SZ_L.

If you previously relied on this data in your extensions or other subscriber code, update your customizations to accommodate the new data request size.

Fixed an issue where cloning a storefront returned the following error:

Duplicate value found: ccrz__KeyName__c