In this short tutorial I show how to redirect users with different roles to different screens after their login. For example, this could be useful when you have “admin” role and want to have a separate screen - admin console.
Didn’t find similar tutorial, so decided to make it by myself
I noticed that in a couple of your videos you keep checking the ‘access’ of your features by pasting the URL directly in incognito window (to prove it would have worked in any browser even without login), and then you add visibility condition on your elements to secure access to features.
I personally do not have deep technical background. Do you think it is a very serious security issue that anybody can directly access Admin (or other protected screens) directly by accessing the URL? Is it easily possible for outsiders to get or guess URL pertaining to a specific record in any table / app-screen very easily? Or is it something that’s a manageable flaw as long you implement the correct visibility conditions?
I think that it is not a “security issue”, it is just the way it works.
As I guess, Adalo was created primarily to build mobile apps. In mobile apps (compiled and installed from Appstore / Google play), the user “flow” could be managed pretty firmly, and I think it’s not possible to get to hidden/protected screen without explicit action with permission.
PWAs / Web Apps is a different story; you can easily copy the URL and send it to someone. “User rights check” on each screen is not implemented in Adalo at the moment (see above - no need for that in mobile). So that’s why developer needs to protect sensitive screens manually. Fortunately, there are on-screen-enter actions and visibility settings, so these could be used for protection.
What you need to do is to check upon entering the screen is (a) that user email is not empty and (b) that user is admin. “Hiding” content is an additional measure, protecting against a bug which happens sometimes with Back button.
As for guessing URL - I don’t think its possible, just look at its length
Thank you.
Should I protect one by one all the screen with a condition e.g: sen to login if email login user is empty" or have you another easier way to do it when we have lot of protected screens ?
Thx a lot Victor
I don’t have a definite answer for you here. That depends on your risk model and how sensitive the data is.
If you’d like to be 100% on the safe side, then you need to protect each screen. And also you might want to group all the elements on this screen and set a conditional visibility on this group, using the same logic.
If you’re more relaxed, then you could implement such protection only on the “routing” screen and “home” screen.
I hope at some point Adalo will implement built-in protection against unauthenticated users.