I’m building a pretty typically structured SaaS app where each user should only be able to view & edit data regarding their company. I’ll definitely set up a privacy rule to make sure each user can only access their company’s data, but I’m curious if I should also add search conditions on my dashboard to match Related Company = Current User's Company etc.
Per this post it seems like some combination of privacy rule & filter will work best, but I want to clarify with the experienced Bubble folks
You just need to do the privacy rules. Only those are truly secure.
Adding a search condition in a search filter isn’t secure (and even if it was, there would be no need to do it if you already have a privacy rule in place).
Remember also to put conditions on any workflows relating to making changes to creating or altering data, to ensure the user is authorized to do so.
As @ed727 has stated Privacy Rules are the only thing you should need, but I’ll add this is only true if you’ve correctly setup your dataset to be relational as it does seem you have Related Company = Current User's Company Where Related Company is a Thing and Current User’s Company is another, related thing.
Also Database Triggers run as full Admin (not limited to privacy rules) so if you do any searches or something inside your database trigger make sure to tighten down those constraints (Current User is still available as context for who triggered it).
Most database triggers wouldn’t have searches cause that sounds very heavy but something to make note of
