Tutorials: users and admin access to different screens

In this short tutorial I show how to redirect users with different roles to different screens after their login. For example, this could be useful when you have “admin” role and want to have a separate screen - admin console.

Didn’t find similar tutorial, so decided to make it by myself :slight_smile:

6 Likes

Thanks for the tutorial Victor.

I noticed that in a couple of your videos you keep checking the ‘access’ of your features by pasting the URL directly in incognito window (to prove it would have worked in any browser even without login), and then you add visibility condition on your elements to secure access to features.

I personally do not have deep technical background. Do you think it is a very serious security issue that anybody can directly access Admin (or other protected screens) directly by accessing the URL? Is it easily possible for outsiders to get or guess URL pertaining to a specific record in any table / app-screen very easily? Or is it something that’s a manageable flaw as long you implement the correct visibility conditions?

Thanks.

Hi @theophilus,

I think that it is not a “security issue”, it is just the way it works.

As I guess, Adalo was created primarily to build mobile apps. In mobile apps (compiled and installed from Appstore / Google play), the user “flow” could be managed pretty firmly, and I think it’s not possible to get to hidden/protected screen without explicit action with permission.

PWAs / Web Apps is a different story; you can easily copy the URL and send it to someone. “User rights check” on each screen is not implemented in Adalo at the moment (see above - no need for that in mobile). So that’s why developer needs to protect sensitive screens manually. Fortunately, there are on-screen-enter actions and visibility settings, so these could be used for protection.

What you need to do is to check upon entering the screen is (a) that user email is not empty and (b) that user is admin. “Hiding” content is an additional measure, protecting against a bug which happens sometimes with Back button.

As for guessing URL - I don’t think its possible, just look at its length :slight_smile:

Thanks for the explanation Victor. :+1:

1 Like