This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Security filters and Public Access

Posted on 09-28-2021 08:31 AM
AdemarN
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

I build an AppSheet app that uses tables that have a few hundred names and email addresses. I was using Security Filters to limit the table content access to only those rows related to the current user by way of filtering on USEREMAIL(). I need that table because it identifies which users have access to other features within the app and other data that is linked to their email address. Everything works great but now I want to white label and publish the app and switch it to APPSHEET PUBLISHER PRO plan. The catch is that with the Publisher Pro plan doesn’t support Security Filters. Furthermore, this article suggests that public white label end-users would be able to access all the other email addresses regardless:

Any suggestions?
I built a great app with AppSheet and I’d hate for it to go to waist.

It states:
“When the app is opened in a browser, all of the data used by the app is accessible to anyone who opens the developer console and examines the data of the running application. There is no guarantee that the entire table isn’t available even if a slice is defined on that table. The only way to ensure this is to use a security filter for the table.”

Thanks

0 5 212
Topic Labels
0 Likes
5 REPLIES 5

Posted on --/--/---- --:-- AM
Marc_Dillon
Platinum 1
Platinum 1
Reply posted on --/--/---- --:-- AM

Any suggestions for what? What are your requirements?

The only possible alternative for USEREMAIL() in a Public app is CONTEXT(“Device”). But without Security Filters, all data is still downloaded to every user’s device. It can still be accessed by someone who knows what they are doing, whether or not you think you’ve “hidden” it well in the app or not.

Posted on --/--/---- --:-- AM
AdemarN
Bronze 3
Bronze 3
In response to Marc_Dillon
Reply posted on --/--/---- --:-- AM

I don’t want the user devise to have all the email addresses download. But without having an email address list how can it link up to the user in order to determine what data they see?
Thanks.

0 Likes

Posted on --/--/---- --:-- AM
Marc_Dillon
Platinum 1
Platinum 1
In response to AdemarN
Reply posted on --/--/---- --:-- AM

This isn’t even a valid question if you’re talking about a Public app, because it can’t use USEREMAIL().

Posted on --/--/---- --:-- AM
AdemarN
Bronze 3
Bronze 3
In response to Marc_Dillon
Reply posted on --/--/---- --:-- AM

I have a table where the users can add a record for the email address they claim is theirs. It also inserts their useremail() and a uniqueid() in the backend. Then I have a bot that sends an email to that claimed email address with the row uniqueid() number that they then use as the activation key for that email entry to validate it. Then I link up that validated email address to the data. Anyway, that’s how I was using it and seemed to be working and sufficiently secure, since they aren’t accessing any sensative data.

Posted on --/--/---- --:-- AM
Steve
Platinum 4
Platinum 4
In response to AdemarN
Reply posted on --/--/---- --:-- AM

If your app doesn’t use security filters, you can NOT secure the data. You can hide it, but someone with sufficient AppSheet savvy can unhide it fairly easily.

Even with security filters, you have to design your tables and the app itself for security. AppSheet is not at all easy to secure.

Top Labels in this Space