I have two custom fields in Account object Test_Field_RO__c and Test_Field_H__c. I have a profile Test Profile, which has following field level security(FLS) – Test_Field_RO__c is Read Only
and Test_Field_H__c FLS is Hidden. I am trying to display them in a VisualForce using following code snippet
<apex:page standardController="Account">
<apex:form >
<apex:pageBlock >
<apex:pageBlockSection title="Standard Controller">
<apex:inputText value="{!account.Test_Field_RO__c}"/>
<apex:inputText value="{!account.Test_Field_H__c}"/>
</apex:pageBlockSection>
</apex:pageBlock>
</apex:form>
</apex:page>
When I logged in as a User whose profile is Test Profile and accessed the VF page, I could see Test_Field_RO__c as input field, but Test_Field_H__c is not visible on the page. I have read in developer wiki page that
using other input tags such as apex:inputText or apex:inputTextArea
with SObject fields indicate to VisualForce that the fields should not
be treated as SObject fields and prevent the platform to automatically
enforcing FLS.
In which case the field Test_Field_H__c which is Hidden for this profile should also be visible on the VF page. Am I missing some thing here ? Please Explain this behavior.
Best Answer
Updated 2017-05-24
Visualforce respects Field Level Security when using apex:inputText. It will appear editable if the user has Edit permission on the field, Read-Only if the user has Read permission on the field, and will not be rendered at all if no access is granted to the field. When writing Visualforce, it helps to remember that System Administrators have Edit Read-Only Fields, which overrides the Edit permission on a field (but they won't have any access without Read access to the field). Always make sure you're testing with a profile that does not have the Edit Read-Only Fields permission.
Original Answer
apex:inputTextdoes not honor Field Level Security. Useapex:inputFieldinstead. See Enforcing CRUD and FLS for more details.