Enforcing security in Visualforce

Visualforce pages exposing the SObject information (either via Standard, Custom, or Extension Controllers) can leverage built-in object and field-level security enforcements when using components or expressions that reference SObject fields directly; such usage will honor the user's field-level security. However, Visualforce expressions referencing SObject fields by way of a controller property are not affected, as the Visualforce engine cannot tell whether the controller property in turn refers to an SObject field.

When using the apex:inputField and apex:outputField components, fields (including the label, if present) will be hidden or made read-only accordingly. A less well-known fact is that direct SObject ...

Get Salesforce Lightning Platform Enterprise Architecture - Third Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.