The VisualForce Developer's Guide says:
Like other Apex classes, all custom controllers run in system mode. Consequently, the current user's credentials are not used to execute controller logic, and the user's permissions and field-level security do not apply.
To play around with this idea, I set up a profile that could read the Case object, but did not have visibility of the Description field. I then assigned this profile to a user.
My understanding of the quote from the VF developer's guide was that any user would still be able to access the field (i.e. see it if it was referenced in a VF page). However, that doesn't appear to be the case. The following code is a quick page that displays the Description field. Logged in as the test user, the field is not visible.
<apex:page controller="PermissionsController">
<apex:form >
<apex:pageBlock >
<apex:pageBlockSection >
<apex:outputLabel value="{!c.Description}" />
</apex:pageBlockSection>
</apex:pageBlock>
</apex:form>
</apex:page>
public class PermissionsController {
public Case c {get; set;}
public PermissionsController() {
c = [SELECT Id, Description FROM Case WHERE CaseNumber = '00001031'];
}
}
Interestingly, even when I switch the Case permissions off completely for the test profile, the user with that profile can still see the page, if not the field, but if I use a standard controller, then the normal insufficient privileges page is shown.
Does the quote basically mean that the code will still access all objects and fields referenced in the controller, even if the running user doesn't have permission, but the normal field level visibility is applied for the VisualForce page?
Attribution to: Joe
Possible Suggestion/Solution #1
A standard controller would be tightly coupled with the entity (eg Account Standard Controller with Account). The only purpose of such a controller would be to display / update the associated entity.
Whereas with a Custom Controller, it isn't tied to an entity, but you could use it to do anything from accessing records to just building a visualforce screen which has nothing to do with data. Hence access to such a page will depend on whether the running users profile has security enabled to access the VF Page and the associated custom controller class.
Also, all classes are by default 'With Sharing' unless declared otherwise. You will need to explicitly use 'Without Sharing' to override sharing settings for the currently running user.
Attribution to: techtrekker
Possible Suggestion/Solution #2
Yes, you are correct: Apex controllers will be able to see all fields, regardless of field level security. Visualforce pages do enforce what is visible as you discovered with your testing.
You also need to be aware of the "with sharing" keyword. This controls whether or not your code will see records according to the sharing model. For example, if you use the with sharing keyword, then the user would only be able to see cases that they have access to normally. If you use without sharing keyword, then the user can see all cases, regardless of ownership and sharing model. See http://www.salesforce.com/us/developer/docs/apexcode/Content/apex_classes_keywords_sharing.htm for more info on the with and without sharing.
Attribution to: Daniel Hoechst
This content is remixed from stackoverflow or stackexchange. Please visit https://salesforce.stackexchange.com/questions/5202