I am building an app in Google App Maker and I am wondering how I can secure specific fields of a record to only make them visible to specific users / roles. Let's say for example that I have an Employee table containing the employee's name, surname, email and salary. I want all users to be able to see the name, surname and email but only admins to be able to see the employee salary. I can use the user roles to secure the UI, however my problem is that even when the employee salary does not appear in the UI it is still fetched from the server, therefore someone could still access it if they were determined enough (ex. by observing requests / responses). Is there a way to secure specific fields of a relation based on user roles?
Using calculated model (based on a server side script) is the best option here. That way, only the data that you need to show will be fetched. So in your case, as an example we can use a calculated model called EmployeeInfo with the fields name and salary. The Server Script of that datasource can contain something like this:
return getEmployeeInfo();
Then on your server script you can have something like this:
function getEmployeeInfo(){
var userRoles = app.getActiveUserRoles();
var query = app.models.Employees.newQuery();
var allEmployees = query.run();
var allRecs = [];
for(var i=0; i<allEmployees.length; i++){
var empInfo = app.models.EmployeeInfo.newRecord();
var employee = allEmployees[i];
empInfo.name = employee.name;
if(userRoles.indexOf("Admins") > -1){
empInfo.salary = employee.salary;
}
allRecs.push(userInfo);
}
return allRecs;
}
That way you control if the salary will be returned only if it is an admin.