Can the global current_user be trusted?
Meaning, if we access this variable in a query, does its value actually come from javascript or does it come from the server? If it comes from javascript, it cannot be trusted as a user could potentially change it.
Thanks
2 Likes
Hi there! It comes from the logged in user account info 😊 And it can't be changed with JS (at least not that we're aware of, or have seen before).
Hi Victoria, I just want to be 100% sure here, this is definitely a security-related question we should be certain about. And as you can see others are interested in knowing this.
When retool fires off a query, the user account information comes from your server, and gets added to the query on your server. There is absolutely no way a user could manipulate this, correct?
Very valid. I've reached out to our security team to verify, and will update this thread to confirm!
It looks like, as this is definitely a security concern, we added a toggle that you can enable to prevent current_user access. Instead of handling this logic client side, which could allow a malicious user to impersonate another user, this toggle evaluates {{ current_user }} server side, so that only relevant data is sent to the client and it cannot be spoofed!
This toggle can be enabled by Admins under Settings > Beta.
3 Likes
This is great News! (was following the thread) We were planning of hiding / setting queries depending of the groups a user is in instead of having multiple apps (as it would be a bit harder to maintain).
1 Like
Very happy to hear that! 😊
@victoria I cannot find Settings => Beta => Prevent query spoofing. How can we enable it?
@nitazanav, hmm! I just checked in my personal org and see it. Just to double check, are you an admin in your org? Do you see other beta flags?