Okay, so I think the way to fix this is to set the email column on your Business Owners sheet as the row owner. That should sort out your visibility issue with the button.
But… based on what I’ve seen from your other posts it may introduce another problem, which is that individual business owners wont be able to see information about other businesses - and that would be a problem, yes?
Let me first preface this by saying that what follows is not much more than me thinking out aloud, and there is every chance that I could be wildly off base.
With that said…
I’ll assume first that within your Business Owners table there is a mix of information about each business. Some of this you want to make public, but some should be kept private and only accessible by individual business owners. If that’s not true, then you can probably stop reading here. Otherwise, read on…
If there is any private information in the Business Owners sheet, then you definitely should be using row owners on that table. But then, how do you make the “public” information available?
This is what I would do:
Create a 2nd sheet, let’s call it Business Owners Public
The first column of this sheet would be an arrayformula, which copies the RowID from the private table
You use this column to create a relation between the two tables
With that in place, you can add a lookup column to bring in each column from the private table that you want to make public
You do not set any row owner on this table, so all data is accessible by anyone
Then with the above in place, anywhere in your app you need to display “public” business owner data, you reference this sheet instead of the “private” sheet.
This is a very similar approach to what @kyleheney described here, and to my simple mind it is both sound and secure.
The problem with visibility is that all data is still downloaded to the users device, and then the visibility settings “hide” the data from them. But it’s still there, and a savvy user will know how to get at it quite trivially. As an app developer, this leaves you exposed, and so you need to decide if you’re willing to take the risk that somebody might get hold of that data (and the potential consequences that might bring).
But when you use row owners, then only the data that belongs to that user is downloaded to their device. The rest stays on the Glide servers - and so it’s much much more difficult for a bad actor to get at it.
Yes, Yes I get that 100%. I am working through adding all the lookup columns, I see I can’t give the headers the same name?
Also, for the private sheet, I will still want the email address column viewable by other businesses so that they can communication with each other via email (this won’t work with row owners) If I have this sheet behind the button which is only seen when a business is signed in, can a savvy public user access this sheet as well?
Where are you adding these lookups?
It may not have been obvious, but my suggestion was to create the lookups in the Glide table.
So when you are done with the “Public” sheet and you look at the Google Sheet - you will only see one column, which is the RowID with the arrayformula. All the rest will be computed columns that only exist in Glide.
You should be able to give those columns any name you like.
I’m not totally sure on that answer. I just go under the assumption that any data that is not behind row owners or a secure private login is susceptible to being snooped by a savvy user regardless if they can access that part of the app or not. I’m not sure at what level the database is cached on the user’s device, but I would assume that most, if not all, data is synced and downloaded to the device to provide speed and ease of use to the end user. Row owners prevent that download from happening for users that are not meant to see that data. Like you said security through obscurity is not security at all.
Case in point is the recent post where a fellow app builder was notified by an anonymous user that all user data was accessible through various techniques, even though it was not technically visible in the app ui.
It’s the same data you would see in the glide data editor. All computed columns are always computed locally on the user’s device. Not on the glide servers.
Are the emails only supposed to be accessible to other business owners and not the public? What data needs to be protected?
I have no idea how long it’s cached or if the cache is cleared after a user signs out of the app. It could all depend on the browser. All websites cache data within the browser but I assume it’s updated when a user is using the app.
Yes, the email address, and two others actually should be secure or not accessible by the public (not sure if that is the same thing) But I would like the other business to access the name and email address column of other businesses for contact.