I have a visualforce page 'TestPage' which has access to all the profiles in my organization(say A,B and C). This page has a controller 'TestController'. This controller has access only to two profiles in my Org(say A and B). The controller looks like

public without sharing class TestController
{
}

But when I tried to login as a user with profile C and view the page, it is working fine and displaying the data that gets from the controller. But this profile C doesn't have access to the controller 'TestController'.

Can any one please explain what happens in this scenario?

Attribution to: Priyanka

Possible Suggestion/Solution #1

The reason for this is that giving a profile access to the page automatically grants access to any apex that the page relies on.

There's full details at: https://na6.salesforce.com/help/doc/en/pages_page_level_security.htm

Attribution to: Bob Buzzard

Possible Suggestion/Solution #2

Apex Class security doesn't matter in terms of loading a visualforce page. This comes into play if you're exposing the class as a webservice, to the ajax toolkit, and possibly javascript remoting.

Attribution to: Ralph Callaway
This content is remixed from stackoverflow or stackexchange. Please visit https://salesforce.stackexchange.com/questions/3970