I’m using a postgres data source and want to enforce security on query. In the configuration I created a condition and selected ‘enforce on query’ and set the condition in condition permissions for the appropriate profile to ‘always on’. This seems to work and I also don’t see any way of modifying it via javascript, but I just want to confirm that this enforcing on query is occurring server side and not client side. Is that correct?
That’s correct - Data Source Conditions are enforced server-side — so that you have a way of ensuring that the Conditions are included on every query and cannot be hacked client-side.
Model Conditions added via the Page Composer are added to Models client-side, and as such are not secure, as a savvy user could manipulate the Model Conditions client-side.
