I have table/collection A in Adalo which is linked to a Company table where the company table defines the company that that rows in table A the table belong to.
I have users log in to my Adalo app who belong to different companies I have registered on the app.
User in a company should only see the rows that belong to that company.
It’s easy to filter rows by company of course… but… will Adalo filter on the server side or client side?If it’s client side, then the rows of other companies will still be sent to clients/devices that can then see them if they know what they are doing.
Thanks… but it doesn’t look like the Collection Permissions can do the basic permissioning I need. Using the Adalo collection permissions I can link a ‘created by’ User to my collection, and then the “Some Logged in Users” option is shown in the permissions dropdown for the collection, but then I can only link to that user… I need to be able to link to the user and check the Company record of that creating user. All users in my app linked to the same Company record should have access to the collection.
Basically users in the same company can access their companies records (and view ONLY their companies’ records) It seems Adalo is not able to do this?
(At least not with the permissions as they are. Is there another way to do this?)
USER links to a COMPANY and COMPANY has many SERVICES
When I apply the filtering in Adalo on the SERVICES list, is that filtering applied on the server side or on the client side on the device? If it’s on the device then that is a security problem as it would be possible for users of other companies to use browser tools to view SERVICES records of other companies.
I’m sure it is in the server side that’s why an app will not work without an internet connection.
The scenario I presented to you is my same one but with government agencies and I have several of them and when they go in they only see their data. Of course you need to make all of this filtering in every single list. If you miss one it will display all the data.
Not necessarily. Data rows can still be sent to the device and THEN filtered. All a user would have to do to see all of the data rows that they should not have access to (or see at all), is look at the API call in the browser tools (if filtering is device side)
I moved onto Adalo from Glide Apps as they focus mostly on internal apps where this would not be such a big issue. They do it to save money on the server side costs as I understand it.
But… I need to know for sure if Adalo filters are applied on the server side? Does anyone know for sure?
In most of the cases, the filtered queries (e.g. lists with filters) are executed on the server side and the result is returned to a client.
However in some specific cases the data is passed to a client and the filters are applied there. I do not have the exact list of these cases and as I see they depend on the app features and setup.
If you are building a mobile app, this should be a less of an issue for you (unless your threat model assumes that the binary application on the phone can be hacked - but I believe in this case you need to go full code anyway).
For the web apps, I strongly support the suggestion by @adalojosh to use collection permissions and build your database in a way so that you can limit the access using them. Just in case: collection permissions simply do not return any “non-accessible” records at all - even on the server side. As a side consequence, Counts stop working correctly :).
If Collections Permissions are not flexible enough for you, you can use external collections like Xano which have quite flexible permissions’ capabilities.
An important disclaimer: the information I’m sharing is the result of my own research. This information may not be accurate as Adalo is constantly evolving and something may work differently.
I do not work for Adalo and if you need an official answer, I would advice to submit a support ticket as @James_App_Maker has suggested.