Visualforce Page Security

Permission for a Visualforce page is checked at the top level only. Once users can access a page, they can execute all Apex that’s associated with the page. This includes:

• The controller for the page and any Apex classes called from the controller class.
• Any extension classes for the page and any Apex called from an extension.
• Any Apex classes associated with custom components within the page.
• Any classes associated with the page through the use of apex:include or apex:composition.

For example, if page A depends on a controller that calls an Apex class B, and a user has access only to page A but not class B, the user can still execute the code in page A. Likewise, if a Visualforce page uses a custom component with an associated controller, security is only checked for the controller associated with the page, not for the controller associated with the component.

If users have the “Customize Application” permission, they can access all Visualforce pages in the associated organization. However, they can still have restrictions related to Apex classes. The “Customize Application” permission doesn’t allow users to ignore those restrictions in a Visualforce page unless they have Visualforce page access. Users without the “Customize Application” permission can still view Visualforce page ids and names.

Also, to include Apex in a page, users must have the “Author Apex” permission or access to the Apex class.

Note Organizations with Salesforce Sites or Customer Portals can enable Visualforce pages either by assigning them to user profiles or by enabling them for the entire site.

• Set Visualforce Page Security from a Page Definition
  Set Visualforce page security.
• Set Visualforce Page Security from Permission Sets
  Specify Visualforce page access in permission sets.
• Set Visualforce Page Security from Profiles
  Set Visualforce security directly from a profile to give that profile’s users access to the specified Visualforce page.