Is the current_user global secure?

Can the global current_user be trusted?

Meaning, if we access this variable in a query, does its value actually come from javascript or does it come from the server? If it comes from javascript, it cannot be trusted as a user could potentially change it.



Hi there! It comes from the logged in user account info 😊 And it can't be changed with JS (at least not that we're aware of, or have seen before).

Hi Victoria, I just want to be 100% sure here, this is definitely a security-related question we should be certain about. And as you can see others are interested in knowing this.

When retool fires off a query, the user account information comes from your server, and gets added to the query on your server. There is absolutely no way a user could manipulate this, correct?

Very valid. I've reached out to our security team to verify, and will update this thread to confirm!

It looks like, as this is definitely a security concern, we added a toggle that you can enable to prevent current_user access. Instead of handling this logic client side, which could allow a malicious user to impersonate another user, this toggle evaluates {{ current_user }} server side, so that only relevant data is sent to the client and it cannot be spoofed!

This toggle can be enabled by Admins under Settings > Beta.


This is great News! (was following the thread) We were planning of hiding / setting queries depending of the groups a user is in instead of having multiple apps (as it would be a bit harder to maintain).

1 Like

Very happy to hear that! 😊

@victoria I cannot find Settings => Beta => Prevent query spoofing. How can we enable it?

@nitazanav, hmm! I just checked in my personal org and see it. Just to double check, are you an admin in your org? Do you see other beta flags?

Found it, thanks!