Bypass Security Filter ; Mystery solved

Koichi_Tsuji · 07-28-2020 04:26 AM

It was my long running mystery, "how and when we use “Bypass Security Filter” in workflow settings, but now the mystery was solved thanks to usual great support from Appsheet teams.

In the setting area, there is statement of ; -

Run this workflow rule as though there are no security filters on the data sources.

Taking into account this explanation, I have been assumed the actions fired by the workflow is ready “ignoring” the security filters applied to the table setting, but it was not. I didnt dig in deeper than that, but recently I had a use case possibly I need to have this on my apps.

Consulted with Appsheet dev teams through the support, and it was possible there was a bit of bug which was fixed now. Probably, the new code will take a bit of time to arrive to your appsheet account, but my test is currently show the desired result and functions.

let me explain.

For instance, we apply filter to the table, just read the rows mathing the value for Email fields where it containts email address of login user. This is quite common use case. Then we apply some sort of “count(select(Table[ID], true))” in some fields settings such as app formula or initial value expression. When this expression is applied the count calculation is made on the client side, i.e. to count the number of row in table which “got through” the filter conditions. Assume we have 10 records in app after applying filter, but in reality, we have 100 rows in the original table.

“count(select(Table[ID], true))” sort of expression is always calculating the number of records based on “after filter” as it is Appsheet “by design”.

However, let s assume we update the field by workflow/action and push the number of total records count, by setting “Bypass Security Filter” turned ON, it will count the record reading the orinal table “as if” there is no security filter applied to the table settings.

Say, I run the action by wrokflow and update target row and fileds with expression of “count(select(Table[ID], true))” in the above case on adding new row, then result will be

“Bypass Security Filter” Turned off ; 11
“Bypass Security Filter” Turned on ; 101

In some use case we really need to apply filter to reduce the amount of the records to be sent to the user devices to improve the performance of the app, but at the same time, we wish to run the appsheet expression as if there is no filter being in place.
Now it is easily achievable by setting “Bypass Security Filter” being turned ON!

I placed public sample app so that everyone can play around how it works. The sample app is here.

In this sample app, we read the records from a table using useremail() value mathced email filed (pretty much common use case).

Then compare the inital value with count/select expression result with the action fired by workflow with bypass security filter turned ON.

Have a fun.

Koichi_Tsuji

I tested further.

Add new row from app. The expression yields the correct number by workflow/action.
Add dummy rows into spreadsheet directly, assuming the other concurrent user is adding “new” rows.
Without syncing app, add another new row.

Result ; Expression yields correct number to count the number of records.

Obviously the Appsheet is wise enough to read the “most latest” whole table upon firing workflow/action regardless of user device specific data. Make sense.

Grant_Stead

Yes Sir, I use this often!

Suvrutt_Gurjar

Well explained @tsuji_koichi. Thank you.

MultiTech

Thank you so much! You just answered my question and solved my problem. You are THE MAN!

OptimiX_XcrY

I am testing a simple app for adding and reporting via email, with a parent and a children table, both having “filter all rows” , and a workflow bypassing sec filter to sent a report for each new parent row and it’s children.

In email attachement, children are empty.

Any help is much appreciated

Aleksi

Please check a sample “Parent Workflow” from https://www.appsheet.com/portfolio/531778 how it’s built. It’s a simple timing issue.

OptimiX_XcrY

I am copying it now to test. In the preview, i saw that “filter all rows” is not checked for parent nor children.

I didn’t see the solution yet.

Aleksi

The reason in your case is probably different than the ByPass option. Take a copy and set both tables with that option. Then you can be sure if the reason is coming from that settings or your app’s settings.

OptimiX_XcrY

“Bypass security filters” should apply to children too ?

OptimiX_XcrY

I took a copy , i checked “filter all rows” for parent and for child table. I added a pdf attachment (auto created one) to the workflow email. i “bypassed” security filters in workflow. i tested it. Result does not contain recorded children. So the bypass security filter is probably only applied to parent table.

OptimiX_XcrY

My testing app sends a perfect report if no “filter all rows” is checked.

I just tried to have children with no security filter, and parent with “filter all rows” checked. The workflow sens only the parent row data, and no children data

dbaum

@Aleksi or others, is there any clarification available regarding the various points raised in the 10/2020 messages here?

What is the simple timing issue and how would one address it? I don't see anything in the linked sample app that illustrates this.
Is it the case that the bypass security filter is... only applied to parent table? That doesn't seem consistent with the UI's description of the property's behavior: "Execute this event and the Bots that it triggers as though there are no security filters on the data sources."
Regardless, is there a way to simultaneously exclude child rows from loading for the user and include those child rows in a file created by the user via an automation?

Here's what I'm trying to solve:

In my app, a user selects an action from a parent row that creates a csv file for all the parent's child rows (following @TeeSee1's technique).
The parent row from which the user selects the action is directly visible to the user in the app.
The parent's 1000s of child rows are excluded from the app by a security filter for performance reasons.
When the csv file is created, it includes only the headers and no child data even though the automation event's "Bypass Security Filters?" property is toggled to yes.
To isolate the issue, I changed the app so that the child rows are loaded to the app. In this case, the child rows are indeed included in the csv.

For what it's worth, my best guess regarding what's going on is:

The parent row's [Related Children] column (using a REF_ROWS() expression) is empty given that the child rows are excluded via security filter.
The automation is executing based on that empty value from the user's device rather than, for example, recalculating it in the context of the security filter bypass while running the automation on the server.

For the time being, I've added to the beginning of my export action series an action that changes data to allow the child rows to pass the security filter for loading to the user's device. It seems to work ok; I tested once with 12K rows, but I do wonder if I'll at some point encounter the "timing issue". Regardless, it's better for the user if I can avoid downloading 1000s of rows from the server to the device just for the purpose of sending their IDs from the device back to the server.

As always, I appreciate any guidance that anyone can provide.

Steve

I encourage you to repost this question to Q&A.

Shucasm

I don't know how it worked for you because it didn't for me or maybe it only work for parents Table because when I am using webhook in child table(ref_rows) to update parents table this Bypass security filtered didn't work in my case. So did you have any solution for that because when I test my webhook it giving me error 404 HTML not found.