Are Condition Permissions in data sources secure?

  • 1
  • Question
  • Updated 1 year ago
  • Answered
I'm using a postgres data source and want to enforce security on query. In the configuration I created a condition and selected 'enforce on query' and set the condition in condition permissions for the appropriate profile to 'always on'. This seems to work and I also don't see any way of modifying it via javascript, but I just want to confirm that this enforcing on query is occurring server side and not client side. Is that correct? 
Photo of Shmuel Kamensky

Shmuel Kamensky, Champion

  • 4,700 Points 4k badge 2x thumb

Posted 1 year ago

  • 1
Photo of Zach McElrath

Zach McElrath, Employee

  • 55,630 Points 50k badge 2x thumb
That's correct - Data Source Conditions are enforced server-side --- so that you have a way of ensuring that the Conditions are included on every query and cannot be hacked client-side. 

Model Conditions added via the Page Composer are added to Models client-side, and as such are not secure, as a savvy user could manipulate the Model Conditions client-side.