Login security question


I think I’m doing something horribly wrong…
I have a todo list manager app.
to use the app you have to have credentials and there are privacy rules setup.
When I enter the URL of my todo list in an incognito tab (live and dev), I get the list of all todo’s, and I’m not logged in at all…

Why do i even get this page served?

Would appreciate your help in showing me what stupid thing i’ve probably done.


Probably you don´t have your security rules set up correctly if anyone can see all data by just visiting the URL. One thing I always do is have a workflow on every page that checks when page is loaded and user isn´t logged in, to take them to the index/home page. Like so.


Then you have to check the effectiveness of your privacy rules by visting the URL logged in as a different user.

This is how to set up a rule, in my case, the thing I´m trying to protect is called Project. This rule enforces that when your user is associated to the Partner that´s associated to the Project, you can do the things that are checked

Everyone else, then they don´t have access to anything (in regards to the type Project)

Hope this helps

1 Like

In addition to @AlonsoC’s reply, I usually make all Groups with important content Hidden on page load, and use a Condition to only show them if user is logged in.

Sometimes a redirect can take a little time to trigger, and things will be visible in the meantime.


It’s actually exactly what I did, but the redirect took time like @petter stated…
About the rules - Thanks, I’m on it! =)

glad to have helped!

that´s true, great advice thanks!

The problem is that the content if it is invisible or not was already sent to the client and someone who shouldn’t see this can extract the data. Please correct me if I am wrong, but to set groups to invisible is not a very secure solution.

Do anyone know if the check about logged user is prentending the server sending the data to client?

I mean that here: