Question: Limiting Access to Detail Pages in an RBAC System (with REST API)

App Development
1

I’m concerned about the security of detail pages in Tadabase. While RBAC works well for filtering records server-side, it doesn’t prevent the issue of exposed record URLs in the browser. This means that users can edit the URL, and if they guess correctly, they could gain unauthorized access to records they shouldn’t be able to view.

I have many different companies logging into the portal/webpage, all of which share the same User Role and the same page structure. This creates a significant security risk, as a user could potentially alter the URL to try and view data from a different company that they do not have access to, leading to potential nefarious activities.

Has anyone utilized the REST API to verify if a user is connected to the details page before showing or restricting access? There’s been a similar topic discussed, but the solution provided isn’t comprehensive enough for what I need. My scenario involves verifying if a user is connected to Company #1, and then checking if Company #1 is connected to Company #2. If both conditions are met, I want to allow the user to view the page; if not, I need to deny access via page rules or some other alternative method.

The similar post can be found here: Detail Page Security - Connected to Logged-in User’s Field

Any insights or solutions would be greatly appreciated!

Thanks!

Kyle

2

Hi Kyle, is the solution in the post you linked not working for you?

3

No. The related post doesn’t exactly meet my needs. It would be applicable if I was simply trying to validate a user is connected to a company, thus disable/show details page if value is returned.

My challenge is, in example form: A user connects with Company #1, but Company #1 can connect with itself or another Company, which we’ll call Company #2. I need to validate that the Users Company #1 is Connected to Company #2, and if yes then show the details of Company #2.

Page rules allow you to utilize one pipe, not multiple subsequent pipes (and storing request data). So comparing two fields in a single request isn’t allowed.

I have been able to achieve denying access to company details records, if Company #1 doesn’t have a connection with another Company #2… but that doesn’t solve the challenge, only minimizes the potential security risk.

I would love to solve this problem, but my coding abilities have already be stretched to the limits. :sweat_smile:

4

I believe I solved the problem…

What This API Call Does:

  1. https://api.tadabase.io/api/v1/data-tables/XXXXXXXXXX/records:
  • This is the base endpoint for retrieving records from a specific data table in Tadabase, identified by the table ID XXXXXXXXXX.
  1. Filters: The query is using two filters to narrow down the results.
  • filters[items][0][field_id]=field_1616:
    This filter specifies that we are looking for records where field_1616 matches the value of {loggedinusercompany}.
    In this case, field_1616 is assumed to store the logged-in user’s company ID (or something uniquely identifying the user’s company in the database).
  • filters[items][0][operator]=is:
    The operator is ensures that we are looking for an exact match between the value stored in field_1616 and the value provided by {loggedinusercompany}.
  • filters[items][0][val]={loggedinusercompany}:
    The dynamic value {loggedinusercompany} represents the company ID of the currently logged-in user. This value is passed into the API call dynamically (usually from the session or user data).
  • filters[items][1][field_id]=id:
    The second filter checks that the record’s id field (unique record identifier) matches the value of {targetcompany}.
    3.*id** refers to the unique record identifier for the company that the logged-in user is trying to access.
  • filters[items][1][operator]=is:
    This also uses the is operator to ensure an exact match between the record’s ID and the {targetcompany} value provided in the API call.
  • filters[items][1][val]={targetcompany}:
    {targetcompany} is the dynamic variable representing the company ID of the target company that the logged-in user is trying to view. This is passed into the API call as part of the query.
  1. filters[limit]=1:
    This parameter ensures that the query returns only one record that matches both conditions:
  • The logged-in user’s company is connected to the record (via field_1616).
  • The record matches the target company (via id).

Summary of What This Call Does:

This API call is designed to check if a logged-in user’s company is connected to a specific target company (identified by {targetcompany}). The query does the following:

  • It looks for records where field_1616 matches the logged-in user’s company ID.
  • It also checks if the record’s ID matches the target company’s ID ({targetcompany}).
  • If both conditions are met, the query returns one record, which is the target company that the logged-in user is authorized to access.

Use Case:

This is useful in scenarios where:

  • You want to ensure that a user can only view or interact with records that are connected to their company.
  • The logged-in user’s company is linked to multiple companies, and you want to check if they have access to view the details of a specific target company.

By using this API call, you are filtering the data to only show results where the logged-in user’s company is directly connected to a specific target company, and limiting the result to just one record.

The complete call is (you’ll have to change XXXXXXXXXX to your table you’re targeting): https://api.tadabase.io/api/v1/data-tables/XXXXXXXXXX/records?filters[items][0][field_id]=field_1616&filters[items][0][operator]=is&filters[items][0][val]={loggedinusercompany}&filters[items][1][field_id]=id&filters[items][1][operator]=is&filters[items][1][val]={targetcompany}&filters[limit]=1

The page rule is setup on the details page to show/restrict access:

Page Rule Image
Page Rule Image881×376 32.1 KB