The Community forums are being phased out in favor of a new Slack group.
Add your email address below to get an invitation to join the community slack group
Views and privacy
Hi
How private are filtered views.
Say I have 2 companies using the same table (form). Nut I don't want each other seeing each other's data. So I create filtered views.
Are these filtered views secure? There is no way one company can manipulate anything to be able to see other companies data?
Or should I create a new table for each company? My idea is to have one form shared by many companies. Is this a bad idea?
Thanks
September 17, 2018 at 4:46 pm
Hello,
This is a security & privacy-related question. If you are looking for an official answer, I suggest posting to official Formidable support.
As a community member, I can share my personal opinion. In general, it is secure but it totally depends on how you use it. The important part is how your view filter gets its filter value. If the value comes from URL and it can be easily guessed, you need additional measures to make sure it can't be manipulated.
So in your case, if the company identifier comes from the URL, make sure it can't be easily guessed. If company identifier is guessable or for added security, you can introduce a secret unique to a company. This post by James explains the concept
http://community.formidableforms.com/help-desk/prevent-url-hacking-by-adding-a-secret-field/
Another approach is to avoid passing the filter value from the URL. e.g. save company identifier in user meta and use it in the filter.
Another important thing is to secure page used to edit/display individual entries. Usually, edit page has Entry ID in the URL which can be easily manipulated. The above post by James is meant to prevent it.
Also, I try to use Formidable Entry Key instead of Entry ID where possible, as it is not easy to guess the key.
Hope this is helpful.
September 18, 2018 at 10:24 am
Hi
Thanks for your response. I have also submitted a formal ticket to Formidable for their advice.
As of now I have saved the company name in the user metadata field under "nick name". I have used this in a form to filter the company list. So the correct company is always selected when the user opens the form. Preventing them from even seeing what other companies are in the company dropdown list. Now I need to do this for a view.
James's post is also a viable solution. I will give it a go.
Discussion closed.