Apex Code Development You need to sign in to do that
Don't have an account?
nabhan karmi Does anybody notice that the object permissions is not applied on public site guest profile?!
I built VisualForce page with form to Insert and update account records, it works like a charm, but when I checked account object permission for guest profile, I found there's no read nor create permission, and I still able to create and update account records, I noticed this issue in winter 19 release.
Apex, even Apex declared with sharing, does not automatically enforce CRUD and FLS permissions for you.
CRUD and FLS are automatically enforced in Visualforce when data elements are rendered directly into the page via tags like <apex:inputField> or raw Visualforce expressions like {! Contact.Name }. Visualforce does not enforce CRUD/FLS if you render data via an indirection like a wrapper class or a primitive instance variable (a String, e.g., for a Phone field, rather than an sObject field).
If your Visualforce page used standard <apex:inputField> components bound to sObject fields on an Account instance variable in your controller, you would see Visualforce apply permissions there.
However, since all of the operation is performed in your controller, you need to manually enforce permissions. Salesforce has an in-depth discussion https://developer.salesforce.com/page/Enforcing_CRUD_and_FLS with many examples of how to enforce CRUD and FLS in a Visualforce controller. The "Create Access" example is pertinent to your situation.
To summarize, before performing the action to create an Account and populate its Phone field in your Apex controller, you'd need to check to ensure the user has the right to perform this action.
Hope this helps.
KIndly mark this as solved if the reply was helpful.
Thanks,
Nagendra