Question about embedded forms

Rod · 10-10-2020 09:28 AM

I have a question about embedding a form in a site.

The data will be stored as a “sheet”, not in a seperate table, it’s not sensitive info but I certainly don’t the sheet to be accessible publicly.
The “Finish View” will show a different screen, i.e. thank you etc…

The Appsheet behaviors and actions are the most valuable to the performance of the form, because it’s a “public” form, do I still need to be concerned about security? If so, is there a way around this in order to use all of the functions in Appsheet?

Thanks!

Aleksi

If you want to be sure, you could set the option Data > Tables > Table’s definition > Filter out all existing rows?

Rod

I tried that, but you can’t see the data in the app…

Steve

What does this mean?

Nothing the app uses needs to be publicly accessible, but if the app itself is publicly accessible, so will be the data is uses.

Only as much as you care about the data.

We’d need a lot better idea what you’re trying to do.

Rod

Okay, ultimately I would like to run an appsheet embedded form in a website. It’s public job request form. I’m not showing anything else but the form. But I do want to run a check against existing data to prevent dups and to save data entry time, i.e one client many addresses, etc.
Because it’s a “public” form, “white label”, should I be concerned about access? Once again the form will return a thank you, nothing else.

Steve

The web-based app must have access to all of the data it needs to use to perform its function, so if you want it to check for duplicates, etc., the app must have access to all existing data in which it is to detect duplicates. All of that data must be copied to the app for use.

As a “public” app–an app that doesn’t require user login–you won’t have any level of trust in the user and can’t make a decision to withhold data according to who the user is. Because all software has bugs, we have to assume there are bugs in AppSheet that an attacker could use to access even hidden data. If your app has a copy of all the data, and an attacker has broken in, they could access that data.

That the app is/will be white label has no bearing, really.

So that’s what you have to consider. How sensitive is the data an attacker might get?

There are ways to structure data so that more-sensitive data is more protected than less-sensitive data. For instance, you could keep the more-sensitive data, like personal names, home addresses, phone numbers, and email addresses, in a table that filters out all rows, as @Aleksi suggested, but keeps less-sensitive data in unfiltered tables. That less-sensitive data would be available for the app to use.

Another option might be to detect and handle duplicates using workflows or reports, which run from the server and can access data the user cannot. There’s substantial complexity involved in this approach, but it’s not uncommon.

Rod

I thought you were going to say that…
What is the suggested route for running a public form and then managing it? Do you force the public to create an account and run through the verification process?
or don’t embed an appsheet form…?

I can setup a Google form and or another third party form, what do you suggest?

Aleksi

For me it sounds that it would be better to use for example Google Form for this purpose. If you want to use prefilled values when the form is opened, that’s possible as well. Then you can connect the form to your admin app if it’s needed. And btw… you don’t need to be an “attacker” to see the hidden data in the public app.