Replies: 2 comments 1 reply
-
|
Hey @GregFdz There's room for improvement in how we handle RBAC, and hopefully it will be worked on in 2023! As things stand, I would use a AWS lambda or Microservice to handle public form submissions. This would give you full control, but require a bit of development work. Your Microservice could have validation to prevent users from by-passing the form validation. If your API saved the form submissions to an external DB, then you could allow only admin users to access that data and approve/deny applicants. |
Beta Was this translation helpful? Give feedback.
-
|
I actually managed to do it, since. It's tricky. And getting feedback is a hell of a headache. I had to create a sort of limited sub API inside my budibase app. The form submit button generates a link with all the data and redirects the user to a page that triggers an automation with all the url params. Then the automation has a js script challenging all the values. I log the automation's response / feedback in a log table with a unique id that has previously been provided to the user (generated in front end but challenged like a user input in backend and then hashed to even prevent little hackers to make a message appear in my table like id:hey-Ihackedyou-moron instead of id:3gf-zz58hm94f3h-hh64d). But once the user sent his query and has his unique Id to identify his resquest's response, he has to be redirected to another page with his unique id but hashed the same way as in backend. So I had to hash it with js then redirect the user with the hash as a url parameter. Other problem. You can't use js to set timeout or redirect a user. So I didn't want to mess around -too much- with budibase's security by using a meta and allowing js script calls. That means I had to kind of hack budibase to only allow my snippet. The dirty way. And make my js as much resistant to xss attemps as I could. Obviously, I'm going way beyond budibase's limits / purpose. But I don't know any other open source software that would allow me to build a survey form, send confirmation emails, connect to APIs, build an admin panel etc... |
Beta Was this translation helpful? Give feedback.
-
|
That's good going, although it does sound like a bit of a nightmare to maintain etc. Sometimes a little bit of code can go a long way, and Budibase is still going to handle a lot of your workflow. |
Beta Was this translation helpful? Give feedback.
-
Hi,
I'm starting to build an app that would allow public visitors (unlogged) to apply to a political party. For that, I need to create a public table. But doing so also means allowing anyone to access and edit all the data inside the said table ; including data that is not their. It makes it quite complex to allow new entries while blocking further access to the saved data ; it makes it incredibly complex to allow the user selective edit (only his row, only allowed colums). I barely see how I could build the first one, I get lost in my thoughts when I think about the second.
Another thing is that, no matter which access level you choose for your table, I don't understand how we're supposed to validate the data that the user is sending into the table. Yes, you can use form validation and (if I'm correct) regex inside of that. But then, the user can alway bypass that by sending API queries via URL or even a script that they created.
There's a trick that came to my mind, concerning the previous concern. I could create an automation for each time a new row is created, I add a "is equal to 'false' " condition then I write a js script challenging all my columns with the required regex. If any of them isn't validated, my script returns false. In my automation, if the condition is validated, I delete the row.
That brings another concern. It means that I can't validate the data before it's actually saved in my tables. I have to accept the entry before challenging it. A solution to that problem could be to add a "query submitted" to the triggers available. We would be able to set actions in between users' own actions and our data, to create a sort of firewall.
A last thing is that I just wanted to be able to create tables containing emails and ask for the user to confirm his entry with a link sent to his inbox. In some other softwares like budibase, it's just a click on a checkbox ; in budibase, I've been trying to find a way since yesterday morning... and I'm still wondering how I could make this functionnal.
That's quite a chunk of questions, ideas and sort of venting so I'll just cut it there. My aim posting that is to ask more experienced users if I'm overthinking some of these points ; if there actually are easy ways to do at least some of the things that I'm talking about. Or if some are indeed complex but have been already solved so I just avoid the heavy thinking by just reproducing these clever solutions.
Thanks for reading, lads !
Beta Was this translation helpful? Give feedback.
All reactions