I want to restrict the ability to call a REST API resource to a permission group via the query advanced tab. So I created a new permission group and added my registered members to it.
I was hoping that anyone accessing my app via the public url would be blocked from triggering this query but it wasn't blocked.
Is there something I'm doing wrong here or have I misunderstood this query feature?
Thanks for reaching out!
1). Can we see how you set up the advanced tab? I'm imagining something like this would work well (if the user is in the admin group, the query should not trigger):
2. One thing I want to clarify is how the app is being accessed. Is the user logged in to Retool and accessing a Viewer link? If so, we should be able to reference the current_user property as I've shown above. However, if the user is accessing a Public app, they won't be logged in to Retool and we won't have any information about the current_user. In other words, users accessing a Public app link are anonymous, since anyone that has the link can access it, regardless of whether they are in your Retool organization. Since public app users are anonymous, we have no way of mapping them to certain permission groups.
@Tess Thanks for getting back to me.
I set it up as below. However I have also tried your suggesting using the Disable Query field.
When using a public url in a separate browser that has not been logged into retool I'm expecting the user to be anonymous and therefore not belong to the "SMS Access" group I created and therefore should not be able to run the query.
I tried both configurations and both are not working as I expected
Hi @simonhopkin Thanks for sharing more about your use case!
I believe that section is ignored in public apps. This logic seems to work for preventing public app users from running a query since there is no current_user email
Hi Tess, thank you for clarifying. It seems to be working for me now. Thanks for your help.
Awesome! Thanks for confirming