URL Data Breach

Massimo_Ridella · July 15, 2024, 8:45am

I have a tool in my business to show ‘Team Leaders’ sensitive information regarding thir team members. The data is filtered to show to every ‘Team Leader’ the people who have the name of the team leader as ‘leader’.

A work collegue has recently accessed the App through a URL saved in the browser History and accessed information regarding a person who he should not see. The data and the filters are correct as once my collegue moved to a different screen, he was no longer allowed to go back to the first screen.

To mitigate this i even put visibility conditions on the collections of data shown in the screen. But every time he accesses the app through that URL it’s like he bypasses all filters and conditions. Any idea how to solve this?

Darren_Murphy · July 15, 2024, 9:30am

Sounds like they are accessing a specific details screen directly.

A quick (insecure) fix would probably be to apply visibility conditions to the components on the details screen.

To fix it properly you should apply Row Owners. You probably want to use Team Names as Roles (configured in User Profiles), and then use the Role names as Row Owners in your data table.

Massimo_Ridella · July 15, 2024, 10:48am

Thank you so much Darren! everything works now

system · July 22, 2024, 10:48am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Security issues with filtered data Ask for Help	4	300	June 16, 2022
Row Level Security Ask for Help	10	1054	November 23, 2019
Need help again! Team leader vs Team member Ask for Help	7	400	November 10, 2020
Dynamic pages based on URL parameters Ask for Help	8	426	March 3, 2024
Same User missing info on one device vs another Ask for Help	0	134	October 27, 2023

URL Data Breach

Related topics