Users can share deep links to specific content to other users and often do.  As a result they may often save the link for future reference.   

Understood.   At the very least you should submit your findings to AppSheet Support.

However, I am trying to inject older version numbers into an app URL and cannot seem to force the app to the specified version for myself or any virtual user I have established.  The user has, so far, been directed to the proper version.

Maybe you have found a gap?  But then we will need more specific details on how you and your users are accomplishing access to the old app version.

Yah I tried as well, nothing seems to happen.

Will, are you sure the users aren't just loading from the cache?

I will go back and double check . 

However, we were able to demonstrate different features showing up.  Mostly it is noticeable when the column numbers change and the error will message out inconsistent columns which breaks the app entirely.  

When looking at error message in the logs it shows the different version numbers.   We have cleared the cache with no effect.  They can increment through the versions to see different versions that I had never launch/released for them to use.  ( ie taking advantage of the 'Stable' version release)  

Currently I have about 10 different apps, used by about 30 different users.  Some apps used daily by about 18 users.  I have test 3 of these, and all produce the same results ( I being the administrator).   Only 1 the most used was tested by none administrators, just general users.  

I have however seen a number of log errors recorded with different users, with different version numbers.  These are likely saved links with the version in the URL.

---

@WillVerkaik wrote:

( ie taking advantage of the 'Stable' version release)  

---

Obviously, this is an Enterprise level account.  I'll try the version injection on similar apps I have access to.  I have a vested interest for my clients.

Yes it is an Enterprise account.

---

@Marc_Dillon wrote:

Will, are you sure the users aren't just loading from the cache?

---

This is a good point! 

Something I have only recently realized is that there is a difference between a Sync and data updates.  A user must manually tap Sync to get version updates.

Double checked with my team.  We were able to go back to various version to a point where I implemented a security solution to avoid access to specific data.  ie. Use security filtering and user record data.  As a result, this user had the current version where they could not see the data, then with the older version before this, they could then open and see ALL data that they should not be able to see.  I am trying to work with Appsheet Support on this.

Also, opened a completely different app by the user, that was not flagged as a problem.  Added the session ID and the ability to access old functions ( or loss there of)

Some outcomes just modifying.  2 instance the app works, 1 breaks ( I will look to see how to submit to AppSheet Support)

I spent some time testing this on an Enterprise app for which I am a co-author.  I I cannot reproduce the issue.  I've tried with a couple different accounts with different app access - Edit versus User.  Attempts to inject an old version always bring me back to the correct expected version - whether I start with the Editor browser link or copy a deep link within the app.  See images below for only some of the attempts I've made.

I believe you have found an issue.  We just haven't found the root cause - an AppSheet issue or something else.

********************************************

Injection attempt on Co-Author set to Latest

Injection for App Start on User set to Stabile version

Injection into Deep Link

Injection attempt for user without access

When addition the version, use Ampersand '&' to parametrize the value pair of version/number.   So use     &version=#.######

It''s the same.
Could you share some screenshots similar to the ones @WillowMobileSys sent? This will help the AppSheet Team troubleshoot the problem

I think 2 of the 3 screenshots @WillowMobileSys  did not use the Ampersand.  The images I shared above have the URL.  If you wish for more screen captures I can provide.  I have sat with 3 staff members in office to go over their computer and was able reproduce the problem. It might be related to our environment, but it is multiple different Apps different data sources.

This is a standard user (MAC in this instance).  First capture is the current version with a single data element related to the user.  The second screenshot is moving back the pre-dates the release of adding security feature to allow the user to only see their department.

Can you test this under an incognito/private browser window?

So 2 things:

1)  You are using the Desktop Preview.  Be aware it is still in Preview/Beta and while in a very good state right now, it is riddled with issues.  You really don't want to use it for LIVE apps - especially if you have security concerns.

I will re-test with Desktop Preview ON to see if that changes anything for me.

2)  I am curious,  if you were to open the About view, what version does it show?  I have only been inspecting the version number and assuming the logic matches the version shown.  But there could be a mis-match in the version reflected and the physical code loaded.

To be honest, without the Desktop version, the Appsheets solution is useless to our business.  Most work is NOT using mobile devices from users.  I have a budget for 2,000 users to either continue with Google or move to MS of which provides PowerApps.  The technology is quite good for its simple purpose and to release companywide for interfacing with Sheets. ( and Bigquery).  Without the desktop however, that is a showstopper. 

The version in the URL matches the version in the About.

I reported to support yesterday, and they said they escalated and I will be emailed.  Thank you @SkrOYC for taking the time to try and reproduce the error.  From my perspective, the app cannot be used for anything that has confidentiality or PII (which is most). 

When you go back and look at older version, the URL is populated with it.  I may have inadvertently sent this to someone and it then spun off.  However, the fact that someone can just add a version is a problem regardless. 

---

@WillVerkaik wrote:

However, the fact that someone can just add a version is a problem regardless.

---

I agree that this is problematic.  But it isn't a major security concern.  It can be a data headache for sure!!  Let me explain.

The same "old version" problem can happen organically.  If a user uses the app daily but never Sync's to get the updated app version's, they can continue to operate on that version indefinitely OR until the app breaks from something like a mis-match in columns.

I recently experienced the pleasure of this issue!!  Not fun when a user has 50 edits they have submitted and you are trying to recover them.

In either of these scenarios, if the user is de-listed or loses authorization, they will not be able to get into the app - old or new.

Anyway, for now it is what it is!

Really? it is what it is? I sure hope the team at Appsheet / Google do not feel this way and deal with it at the level of security compromise that it is.  Exposing application history to any user engaging in a solution is an untenable argument.   At the very least, versioning should have the ability to be shut to exposure.  

---

@WillVerkaik wrote:

Really? it is what it is?

---

Ah c'mon!  Don't get so uptight.  We are all trying to resolve these things together.  I simply meant it is the way it is...for now.  BUT, it's not the security problem you think it is.  As I described it can happen naturally through user "normal" use of the app.  If a user becomes a problem, you have the ability to remove their access.

---

@WillVerkaik wrote:

At the very least, versioning should have the ability to be shut to exposure.  

---

This part I, and I'm sure ALL of us, agree with 1000%.  In fact there is a Feature Idea yet to be implemented that will solve this problem.  Please review it (link below) and upvote it.  I would recommend adding into the comments what you have informed us of in this thread to give more clout to the urgency of the requested feature.

https://www.googlecloudcommunity.com/gc/Feature-Ideas/We-need-a-way-to-force-new-versions-of-an-app-...

Interesting: The link to this 'feature' request indicates that it remains 4 years yet to be acknowledged and IMO should be a core infrastructure delivery function.  Somewhat disappointing if the technology is expecting to be used as an enterprise solution.  My additional upvote to move from 22 to 23 would be inconsequential to any decision on the ROI of this 'feature' when hitting the product roadmap table.  I was unfortunately under the impression the size of the tech community was larger being a Google solution.  My evaluation seems to be leading down a dirt road.  

---

@Marc_Dillon wrote:

I was also able to repro it now. It seems the version must be part of the url parameters (the part after the '?'), not part of the fragment (part after '#').

---

Ok, after this, I was able to research a little and now I too can reproduce it.

I'd forgotten how some of this is used and didn't know what the "#" was for at all.  For everyone's understanding, here is what each of the "parameter separators" do:

• ? - separates the URL from the Query parameters.  It signals to the server that parameters are to follow.
• & - delimiter between Query parameter Key/Value pairs
• # - client side anchor - the portion after the # is typically processed on the client side to specify WHERE in the client side code (returned after parsing the Query parameters) the web page should start at.  These parameters are usually ignored by the server.

So...when I tried copying the Browser link and insert "&version=x.xxxxxx" it didn't work - no app presented.  Following examples,  I next tried "#version-x.xxxxxx" and the app launched but I always got the proper latest version.  That's because the # stuff was ignored and essentially treating the URL link the normal Browser Link.

With the above understanding, I can now add "?version=x.xxxxxx" and the server returns the specified version, the app loads or results in an error if there is a column mismatch.

To put all this together and understand how all of these work together, just look at the Editor URL it uses all three of these.  See image below

The topic of security is long in the tooth for all technologie long before my time and likely not worth the debate here.  In the end, if the use of adding version as an open paramater is deemed a feature, then the expectation is clear and the technology is relegated to the confidence of leaving content potentialy exposed. 

Development processes are about continual 'experimentation'.  Most of your work is deemed unusable until you find your 'gold nuget' and want to commit.   If your business/clients is comfortable when aware of this with their content, then not a risk.   

The alternative is to follow the best practice of separate SDLC environments for DevOPS =  Dev->Integration->Test/Staging->PreDeploy->Production.  Of course with a cleaned Production.

That however defeats the gains of Citizen Development just to minimize this risk.     

I like the technology.  It makes sense.  It can do wonders on productivty of large teams on spreadsheet hell.   However now as a Google Product, it should be expected to have minimum standards for mass adoption.