Doesnt seem like I can edit pending posts to merge topics, but Seems like Baserow doesnt have actual API endpoint architecture/design like Xano/Swagger, enabling ie endpoint to be restricted to only perform that function or be limited to that field, instead of full database access if needing crud permissions?
Also, even in Xano’s specific endpoint in frontend code, frontend user (with a bit of his own code) was able to read full db fields/contents-how do I ensure only the endpoints coded in frontend dont enable full read access of other fields in the table (they need to remain there and cant be in separate table), thx
I’m not sure I fully understand the question, but if you’re asking whether it’s possible to restrict visible data by hiding fields, this can currently be done via the API using specific query parameters (Baserow API spec).
However, a user with access to the table will always be able to see all the fields in the table. Fields are only hidden when the table is shared publicly. In that case, any hidden field in the view will be inaccessible to users outside the workspace.
Thx @davide, 1) don’t want to hide fields, trying to restrict frontend end-user (not auth token user) from accessing other fields outside of endpoint-specific functions.
With Xano, simple view source and line of code was able to see all emails etc in db, despite endpoints not reading those fields.
are you saying hiding fields in a specific view will restrict access to those fields? is there any doc or comment from staff confirming this, or where did you get this info? and can frontend end-users access other views, since db table id is in code? thx!
The Baserow frontend uses the same APIs “auth token” users use, and the endpoints are described here: Baserow API spec. An authenticated user cannot list/use resources if they don’t have access to them, no matter what code you inject in the frontend.
As I said before, all authenticated users with access to the table can see all fields and all rows for that table. If you hide some fields and share the view publicly, unauthenticated users or users without access to that table, won’t be able to see/use hidden fields, as described here: Public sharing
Clarifying: 1) if website coded endpoint only reads ie Field B, but website code (ie view source, or bypassing lines of code) shows table id (where Field A is not hidden), can website user see Field A even though endpoint doesnt reference Field A but since table id is visible in code? Inc. Auth token in code means website visitor has same permissions as auth token user, or only for endpoint urls specified (ie no access to Field A since not specified)?
Not sharing link publicly, only via website endpoint url and auth token in website code. Is the only workaround to hide fields in seperate db view and use that view instead of one db view with all fields and specified read-endpoints? thanks so much @davide