Detail page security connected to logged-in user's field

ScottG · March 30, 2023, 7:45pm

@moe Looking for a way to restrict access to a record’s detail page based on a connected value of the logged-in user.

For example, I can filter a data table to only display records whose Company (connection) is connected to the logged-in user’s Company (connection).

This works well, but when you create a detail or edit page from that data table, the restriction of access based on Company is lost.

Said otherwise, I only want users to be able to view detail pages of records where the record’s Company is equal to the user’s Company.

SafetyUniversity · April 1, 2023, 3:11am

@ScottG -

This is a fairly straightforward process. You’ll need to create a company table and associate each company with the respective user. The company table will have a connection from the company table to the user table.

Then, in the page builder, you can create a table, and in the filters tab of the data source you can then select company that is connected to the logged in user field of associated company.

Caveat to that is that it will show all companies that are associated with that user so if you have multiple companies, it will show multiple companies in that table.

ScottG · April 1, 2023, 3:34am

@SafetyUniversity Hi Adam, thanks for your reply. I believe you’re referring to the data table itself rather than a specific record’s detail page.

I’m more concerned of a scenario in which a user connected to Company #1 is provided the direct URL to a detail page of a record that is connected to Company #2, that user can still access the detail page.

There appears to be no way to restrict access to a detail page by the connected company.

SafetyUniversity · June 11, 2023, 2:17am

Hi @ScottG -

Not knowing the details of what your app is trying to operationalize, I can say that TB is not natively designed to segregate pages based on user/company variables but rather roles. Details pages are not typically designed to be specific to a company/variable. Henceforth, for the different tables to be filtered or JS used to hide/show components.

I would be very interested in any workaround or solution you are able to develop.

Best,
Adam

moe · June 15, 2023, 8:17pm

@ScottG you can probably do this with Page Rules.

My approach would be the following:

Create a Tadabase REST API pipe to get record details of the logged in user and the details of the company ID you’re looking at.
In the details page, add a page rule with a condition that uses the above pipe. If Total Results is not “1” then it should show an error.

I’d be happy to make you a quick video demonstrating this if that can be helpful.

moe · June 16, 2023, 7:36pm

I made a short video demonstrating how to do this. It’s more complex than I anticipated, but certainly doable.

@ScottG I also shared the app with you so you can see what I did.