Private Sign in, Limit Access by Email

Where are you adding these lookups?
It may not have been obvious, but my suggestion was to create the lookups in the Glide table.
So when you are done with the “Public” sheet and you look at the Google Sheet - you will only see one column, which is the RowID with the arrayformula. All the rest will be computed columns that only exist in Glide.

You should be able to give those columns any name you like.

1 Like

I’m not 100% sure about that one, so I’d defer to somebody with a much deeper understanding than me (looking innocently at @Jeff_Hager :innocent:)

Oh yes, I am creating them in the public sheet via the Glide data editor.

1 Like

Unless you have a row owner or roles setup then that data is exposed.

Even for sheets not synced for data unless you are signed in? Where those who are signed are allowed to see that information.

I’m not totally sure on that answer. I just go under the assumption that any data that is not behind row owners or a secure private login is susceptible to being snooped by a savvy user regardless if they can access that part of the app or not. I’m not sure at what level the database is cached on the user’s device, but I would assume that most, if not all, data is synced and downloaded to the device to provide speed and ease of use to the end user. Row owners prevent that download from happening for users that are not meant to see that data. Like you said security through obscurity is not security at all.

Case in point is the recent post where a fellow app builder was notified by an anonymous user that all user data was accessible through various techniques, even though it was not technically visible in the app ui.

4 Likes

I see.

Three questions…
Is it the glide editor or google sheet that downloads onto someone’s phone?

How can I have the email address column accessible and able to send emails for all business owners once they sign-in?

Do you know how long this data is cached? If I switch my public synced sheet to this more secure one, the old one might still be downloaded on some phones.

Thanks!

Correct. As long as the data is downloaded to the device (means it’s not protected by row owners or roles), it’s exposed.

It took me just 2 minutes to get to @Jen_NYCP’s app and get (I think) all data that is stored on the Sheet. It’s not secured.

2 Likes

It’s the same data you would see in the glide data editor. All computed columns are always computed locally on the user’s device. Not on the glide servers.

Are the emails only supposed to be accessible to other business owners and not the public? What data needs to be protected?

I have no idea how long it’s cached or if the cache is cleared after a user signs out of the app. It could all depend on the browser. All websites cache data within the browser but I assume it’s updated when a user is using the app.

1 Like

Yes, the email address, and two others actually should be secure or not accessible by the public (not sure if that is the same thing) But I would like the other business to access the name and email address column of other businesses for contact.

Does anyone have their users contact each other via email?

Are you making a distinction between users and contacts?

If not, then perhaps this is what you should consider. It’s generally good practice anyway.

  • A user email is associated with a user of the app. It’s what they use to login, and as a general rule it should be kept private (unless the user explicitly agrees otherwise).
  • A contact email can be associated with a user, or with a business. It might be a personal email address, but in many (most?) cases it won’t be. It’s usually something generic like contact@ or enquiries@. Contact email addresses in this context are almost by definition public, so you don’t have to worry about trying to secure them.
1 Like

Some are public, ie. you can find on their websites, but some are private. I would like for businesses to contact each other if wanted. They already know they are part of this internal communication network.

Okay, but I would still recommend creating that separation between users and contacts.

Then you can allow your business owners to choose how they should be contacted, rather than it being fixed to their login email address.

Do you have businesses with multiple users of the app? If yes, how do you mange that currently? ie. Which one is used as the business contact? Are they all listed, or do you pick one?

I have two tabs with business details, one public and one private. The public does not contain emails address only information seen on the public app.

All businesses have one contact person. Their contact email address will be the same as their login email address.

I would suggest reading this thread from this point to the end. I think it explains a very similar problem with similar obstacles. There is a bit more technical explanation on why this is so hard to achieve.

4 Likes

haha, snap. Sometimes I wonder if @Jen_NYCP and @a.manda are actually the same person :rofl:

3 Likes

Thanks!! I’m wondering how Instagram does it where you can email someone from their page, I guess they have their own security for that?

Do you know if I use another tool which pulls the information from the google sheet for businesses to be in contact, would have the same downloaded data problem as glide?

Instagram has a team of developers building a single app from homegrown code whereas Glide is an all in one solution that tries to cater to millions of different app types with easy to use no-code tools. I’m sure Instagram works quite differently and handles a lot more processing server side when it comes to security. I don’t know if it’s quite fair to compare the two in functionality.

I’m not familiar with other tools or how they work. Other than code development at my day job, Glide is the only no-code solution that I use in my spare time.

3 Likes

I guess we will have to wait for chat to become a feature for communication between users (also where you can choose which users have this feature), where emails won’t be needed. Thanks!