i.e. … I want to build an app where different users from different companies update project records and I want to ensure that when a particular user in a particular company logs in and searches for projects, only project records for their company will ever be sent that users device. Is this physically possible when using the Adalo DB?
Hi @HughG,
If to treat your request in a “strict” way, unfortunately the answer is “no”.
In general, when you’re using a filter on a list, most of the time only filtered data is being sent to the end-user device. There were some exceptions when the data was filtered on the device itself, I can’t recall in which cases, but I believe that most of these cases were moved to server-side filtering.
However, if you want to be sure that no extra data is being returned from the database itself, then you need to use Collection Permissions. And I believe it’s possible to set permissions based only on users’ relationships, not other relationships with other collections. As you would like to have filters on Projects and Companies, I don’t think it’s possible to achieve it in Adalo.
So in this case I’d recommend using RLS on some external backend platforms.
Best,
Victor.
1 Like
Thanks… but I just checked on Adalo itself after setting up the basic scenario above (which is the basis for the app I’m building) and checking the network fetches when applying a normal Adalo filter on the Projects based on the Logged in Users Organisation. and it works… without needing Collection Permissions etc. So I have an Organisation collection which is a ref/lookup field on the User collection and the Projects collection. If I filter the Projects on the Organisation it seems to apply that initial filtering ‘server side’ and so doesn’t return unecessary records.
@HughG this is what I said in the first paragraph of my reply:
However this filtering does not apply restrictions on the database side. In order to have better protection, one needs to use more granular access control. Adalo has Collections Permissions (Collection Permissions | Adalo Resources), which allow the database to return only the data which is connected to a certain user. E.g. if you try to create a list of all records, but the collection permissions will be set to return records only for a certain user/group, you will not be able to get records which don’t fit this rule.
Unfortunately, Collections Permissions are quite limited. So if you need to implement full-scale protection, have a look at backends which can do Row Level Security (RLS).
Best,
Victor.