Adding a row security row owners

If we add a glide table to a project for the sake of being able to add a row to that table only.
The table is not shown in any screens or tabs nor linked to any other data in the project.

would it be necessary to put row owners on this table? will any data be visible or downloaded to the users device?

or might as well put any column a row owner… users would still be able to add a row without issues right?

The way I understand it, if the table is referenced with an Add Row/Add Form, then the table would be present on the users device. Otherwise, the Add Row couldn’t work. If there were no Row Owners on the table, then the entire table would be present.

Interesting. My gut says yes, but I’d want to test it to confirm. If the table had row owners, and the user wasn’t an owner of any row, then they’d get an empty table. In theory, if they then added a row with an owner value that doesn’t match their own email/role, then the added row should immediately disappear from their device. But I’m not 100% sure if it would work that way in practise. Again, I’d want to test it.

Update: @rayo - curiosity got the better of me, so I decided to test for myself. Yes, it works - kind of. Here is how I tested:

  • created a table with 2 columns; RowID and Name (basic text)
  • made the RowID column a Row Owner. (this basically ensures no user will own any row)
  • Added a tab with an Open Form button, and an Inline List sourced from my test table
  • Directed the form to the test table
  • Testing from a mobile device, I was able to add rows to the test table, and I could see the new rows appearing in the Data Editor
  • BUT… those new rows also initially appeared in my Inline List on the mobile device
  • If I restarted the App, all rows would disappear from the list.

This makes sense to me, because Row Owners are applied before data is downloaded to a User Device. So if data is added from the device itself - it’s already there, so it’s too late for row owners to have any effect.

I was curious to see if the added rows would disappear if I just left it for a while without a forced restart, but it appears not. So that leads me to conclude that Row Owners are never applied locally, even for new data added.

I’ll be curious to get @Jeff_Hager’s take on this.

3 Likes

Lovely @Darren_Murphy
Thank you very much.

I wonder though why a table with no row owners referenced only by an add row action would have its data be downloaded on a user’s device. Is this confirmed or an opinion?

That’s just what I believe based on my understanding of how row owners is applied, and what determines which data is downloaded to a users device. I could be wrong, but I’m not sure how you would devise a test to confirm that. As soon as you do anything to try and detect any data (eg. a rollup to count the number of rows), you’d be referencing all rows and invalidating the test. I guess you’d need to examine the data payload using browser dev tools. I’ll leave that to you if you’re curious enough :slight_smile:

2 Likes

I agree with everything @Darren_Murphy said. I’ve dug into the downloaded data in the past, but not enough determine what is all downloaded and under what circumstances. As a general rule, I agree that if a table is used in ANY way by the app, then it should be assumed that the table is sent to the user’s device. The local copy of the data needs that table to exist for the app functionality that uses it to work. If an app does not use a table in any way, then I don’t believe it is sent to the user’s device.

If you are applying row owners to a column that will never hold an existing user email or a role, then any existing data in that table will not be downloaded… although the empty table will still be loaded on the device. I haven’t tested adding a row, but yes, I would probably agree that it sticks since it originated locally but a refresh of the app would make it go away. Shouldn’t matter though, since the user added the row themselves, so I don’t see any security issues there.

2 Likes