I’ve been experimenting with the Find this in searches setting for privacy and am a bit fuzzy on what all it does from a security standpoint.
I get that it dictates whether or not Do a search for displays results for the user, but I’m wondering how exactly to use this in an app. Here are some questions:
- Am I correct in thinking this prevents users/nefarious actors from exploring/querying sensitive data while letting my app evaluate logic related to a need?
- If yes, is there a way to expose the results of a search to a user if the search is off?
For example, let’s say I have a Type with Find in searches set to off so users can’t just search any old thing in the type, but I want to then show a list of things that are the result of a search in a workflow to a user.
I should add that I’m hoping there’s a way to display values without resorting to an API if possible, so wanting to be sure I’m secure yet able to display data as needed.
To help others in the future.
Yes on 1, although your app won’t be able to do a search either if the Current User can’t - other than using API Workflows with privacy rules disabled, workflows inherit the Current User’s privileges.
2 - yes there is - just turn Find this in searches ON!
Then use privacy rules to prevent anything sensitive from being returned. If someone discovers that there’s a User with unique id 16529078x191647628140, but can’t see any data - probably doesn’t matter, right?
Note that having Find this in searches OFF prevents the Thing being found when it’s the page’s Thing - so it needs to be ON if you want to use either the slug or the unique id in the URL (View slug also needs to be enabled to use the slug).
I wouldn’t have considered use of the unique id in the URL a ‘search’, but there you go. (Yes, it’s a search technically in the database, but then so is loading this Thing using a reference from another Thing, yet that works fine when Find this in searches is OFF.)