We know that visibility conditions of tabs, buttons, elements, … should not be used as security feature.
Meaning, a button with a visibility condition might not be secure.
But what about the conditions inside of an action. If that condition depends on a column in the user profile sheet. Would this be secure to prevent “non-eligible” users to trigger this action?
I think what you mean in this part
is that those won’t necessarily protect your data, only row owners and roles (Private Pro) can fully secure it, not visibility conditions.
Or do you mean another type of “security”?
I agree, this was more a statement, but my question is the following:
But what about the conditions inside of an action. If that condition depends on a column in the user profile sheet. Would this be secure to prevent “non-eligible” users to trigger this action?
Well as long as you don’t allow users to download specific data then the action will be secured.
The bottom line is data security relies on row owners and roles. If you configure that part the right way then the other things will follow.
Re data:
I think everything delivers to clients, except data filtered out by Row Owners.
Re actions: if it’s on server side - it’s secure.
For example: Trigger webhook, I hope it starts from Glide server.
It’s not only about downloading data, but also changing data.
Does this mean, that if I have a condition which “allows” certain users to trigger an action which e.g. sets column values, shows a detail screen, …, there is no way at all for other users to trigger this action?
Yes, as far as I aware, there’s not a way for you to mimic an action in the real app using some hacky ways in the browser.