Security in Oracle APEX applications is one of the very important feature which must be taken care.
Normally, while applying restrictions on buttons we just hide them by setting server-side-conditions or authorization schemes, when only some privileged users should be able to execute processes. But with some JS code you can still trigger them. Surprised !!!!
Please go through the following article which explains how a hidden button can be triggers and the ways to prevent it.
Must read article for enhancing the security of your application.