How to set Public when visiting specific URL, but not visible in 'Find in Search'?

I have a Thing for ‘Projects’ where users can set a field ‘Public’ to ‘yes’, so that they can share a Project-page URL to colleagues or external partners they work with, without an account, so that they can see the project and its status.

But in their dashboard people will see an overview of their projects and when ‘company’ isn’t defined by accident, through a bug or by malicious intent, people would be able to see any other Project in the tool while they shouldn’t ever be able to see other Projects that don’t belong to them outside the tool. Those ‘Public’ Projects can be seen, but only if you happen to go to the exact URL of that Project on the Project page. How can I make sure that this is secure?

I’m already aware that I’d want to unselect the ‘Find in Search’ in Privacy tab, but then how does it show up on the Projects page? I have to do a Search on that page to find the Project with the matching ID (right?) or is there a way to show the Project on that page instantly without having to do a Search?

You can use the content type on the page and set it to project. Then in the URL after the page name there will be a need to either use the unique id of the project or the slug of the project.

This counts as a search though for privacy rules :confused: Disabling ‘find this in searches’ prevents this behaviour and it behaves as if no data is found (because it isn’t)

1 Like

This won’t prevent tech-savvy users from seeing the project, but you could restrict the search on the dashboard to exclude projects. E.g. do a search for Projects like:

-Company is current user’s Company
-Company is not empty

You could also restrict the privacy rules such that a project without a Company is never visible, or a user without a company can’t see any projects.

Ok so indeed there is no way to do this in such a way that a public project is only public on a certain external-focused page and not on the general dashboard for everyone?

There is a hacky workaround to this, it will cost you a bit of WU, but you could justify the costs if you care about security.

Disable the ‘find this in searches’ by default.

Create an ‘invite code’ text field on the Project and generate a random string for it, no special characters.

When sharing the url of the Project page, append a &code=invite code
Add a list of Codes to the User field.

Add a privacy rule that grants search permissions to the user ‘when current user’s codes contains this Project code’

Add page load workflow with which will add the code to the User field, and reload the page (privacy permissions are applied serverside on requests, so there is no realtime updates, the page needs to be refreshed). The condition of the workflow should be ‘When current user codes doesn’t contain get code from URL and get code from url is not empty’. In that workflow, add the code to the User field, and reload the page (privacy permissions are applied serverside on requests and there is no realtime updating, the page needs to be refreshed)