Tuesday, January 4, 2011

Apex Class Security: Subtlety

The "Enabled Apex Class Access" section on a Salesforce.com Profile seems to be straightforward.  You can limit whether the profile has access to the methods on Apex classes.  Recently I discovered it's not that simple. 

I had a profile that had nothing enabled under Apex Class.  So you'd think those users don't get to invoke things on those classes.  Not so.  They would be able to start the VF pages, which displayed just fine.  So at least many getters on the controller classes ran just fine.  However action methods would fail silently.  You can invoke, but nothing comes back (in my case it's outbound calls).  Even more intriguing thing is, if you enable debugging on the user, the whole thing would start working magically.  And it would stay that way even after the debugging is turned off.

Once I had all classes enabled for the profile, this behavior disappeared.  I'd love to do some controlled experiment on that but didn't have time.  Just wondering if anyone noted similar issue...


No comments:

Post a Comment