The VisualForce Developer's Guide says:
Like other Apex classes, all custom controllers run in system mode. Consequently, the current user's credentials
are not used to execute controller logic, and the user's permissions and field-level security do not apply.
To play around with this idea, I set up a profile that could read the Case object, but did not have visibility of the Description field. I then assigned this profile to a user.
My understanding of the quote from the VF developer's guide was that any user would still be able to access the field (i.e. see it if it was referenced in a VF page). However, that doesn't appear to be the case. The following code is a quick page that displays the Description field. Logged in as the test user, the field is not visible.
<apex:page controller="PermissionsController">
<apex:form >
<apex:pageBlock >
<apex:pageBlockSection >
<apex:outputLabel value="{!c.Description}" />
</apex:pageBlockSection>
</apex:pageBlock>
</apex:form>
</apex:page>
public class PermissionsController {
public Case c {get; set;}
public PermissionsController() {
c = [SELECT Id, Description FROM Case WHERE CaseNumber = '00001031'];
}
}
Interestingly, even when I switch the Case permissions off completely for the test profile, the user with that profile can still see the page, if not the field, but if I use a standard controller, then the normal insufficient privileges page is shown.
Does the quote basically mean that the code will still access all objects and fields referenced in the controller, even if the running user doesn't have permission, but the normal field level visibility is applied for the VisualForce page?
Best Answer
A standard controller would be tightly coupled with the entity (eg Account Standard Controller with Account). The only purpose of such a controller would be to display / update the associated entity.
Whereas with a Custom Controller, it isn't tied to an entity, but you could use it to do anything from accessing records to just building a visualforce screen which has nothing to do with data. Hence access to such a page will depend on whether the running users profile has security enabled to access the VF Page and the associated custom controller class.
Also, all classes are by default 'With Sharing' unless declared otherwise. You will need to explicitly use 'Without Sharing' to override sharing settings for the currently running user.