Security expression across three tables

I have an app where users can submit test courses to be reviewed. The tests have their own form along with a form for adding test questions.

There is a Users table with fields:
User (key), Email
ex: John Smith , johnsmith@aol.com

A RequestForm table with fields:
RequestFormID (key), Requestor (a ref to Users)
ex: ABC123, John Smith

A RequestQuestions table with fields:
QuestionID, RequestFormID
ex: JHN567, ABC123

So a User creates a RequestForm and appends its RequestQuestions. How can I setup the behavior of the edit button (on the RequestQuestions table) so that only Requestors can edit the Questions they made via their USEREMAIL()?
I’ve got it working with at the RequestForm level with this formula, but I can’t get it working at the question level:
IN( [Requestor], SELECT(Users[User],([Email] = USEREMAIL())))

The best approach might be to use security filters, if you don’t want users looking at each other’s data.

So that the Users table only includes the current user:

(USEREMAIL() = [Email])

So that the RequestForm table only includes the current user’s forms:

(USEREMAIL() = [Requestor].[Email])

So that the RequestQuestions table only includes the current user’s questions:

IN(
  [RequestFormID].[Requestor],
  FILTER("Users", (USEREMAIL() = [Email]))
)

So using this approach they can only see their own data? In this case I need everyone to be able to see all the data, but only be able to edit their own entries.

1 Like

Alright. In that case, the expression I gave you for the RequestQuestions table above should also work as the Only if this condition is true expression for the Edit action of the RequestQuestions table to offer the edit option only to the submitter of the question.

IN(
  [RequestFormID].[Requestor],
  FILTER("Users", (USEREMAIL() = [Email]))
)