Edit Security Question

Hi team, I have a question about Glide’s security around data edits.

I have a table that should be viewed by all users, and rows in that table are created by users. For allowing users to edit rows, I’ve already set up visibility settings for editing rows around “does user email match row creator email”.

My concern is this: As glide downloads the full sheet, I worry that a bad actor could potentially change a row that they do not own, through inspect element or other circumvention of the visibility of the edit elements.

Having rows that are visible to all users but editable by only some users, and ensuring that data is secure and cannot be compromised is a key requirement of my app.

Is this something that Glide supports or should I look at another solution for this type of security? Can view, cannot edit.

Just to be clear, inspecting elements on a public table does not mean it’s possible to change the source data. Only you and people who have access to the underlying Sheet/Glide Table can do that.

You are structuring the right condition for the editing part, so I don’t think there’s something to be worried about here.

The editing element is only generated by Glide when conditions are matched. As far as I aware, adding things in the source code does not grant the ability to mimic that button.

Awesome, thanks. So to confirm, does Glide perform any sort of back-end authentication when receiving an edit request? I.e. someone can’t spoof an edit request and the server will consume it?

I want to make sure that only users that created rows can edit those rows, but as for presentation that’s less of a concern, as all rows should be public anyways.

I can’t say for sure about that back-end authentication, but on the front-end only users you allow to edit can edit anyway.

That’s good enough for me for now. Thanks for the help!

1 Like

Glide has a bunch of security checks on the backend.

Most importantly, it will never allow editing a row in a table that has row owners, where the row is not owned by the logged-in user.