Hey, I’m pretty new to using Anvil and the Data Tables functionality. I am trying to make a web app where only certain users can see the data they’ve inputted, but I was wondering if there was any best practice for having data that maybe 2 - 3 users can see vs. each user having their own associated data.
I was thinking of adding a column and having user IDs or emails be associated with each “data entry” and when you take a look at “all items”, you see only the items that you’ve been added to. Another thought was to have a new table for “groups” where you can add people to those groups, and have the items be shown by Group ID instead.
Any help understanding how that might look in Anvil would be greatly appreciated! Thanks!!
It really depends on your particular use case, but in general if each user can only see their specific data I’d go with a linking field to the Users table.
When multiple users can see the same sort of data, if those permissions separate nicely into roles, I’d do that. You can then use a multiple linking field to a roles table to say which roles should be able to see the data, and then put the role that a user has in the users table.
Tracking individual user permissions is also possible, with a multiple linking field to the user’s table, but that becomes harder for an admin to manage.
Anvil Extras has some prebuilt code for checking permissions via roles: Authorisation — Anvil Extras documentation
this is what I am having trouble with, how do I code to only allow users with the admin role to see an Admin page that they can see.
I figured that if the user can’t see the link that would do but now I’m getting TypeError: 'NoneType' does not support indexing
on
def get_role(self, user):
role = {user['role']}
print(f"And thier role is: {role}")
Client code can be modified by malicious users. For a good user experience and good security, you have to:
-
Make sure the link can only be seen by the right sort of user
-
Make sure the form checks permissions, too
-
And make sure the server side code checks permissions
In Python that always means you’ve tried to index into a variable whose value is None. In this case your user variable is None, which happens when nobody is logged in.
3 Likes
I think I’m getting closer - 
my brain hurts lol - so this here is how i’m figuring things out , this may even help someone that would be cool 
print(f"Hello user let's see what role you have if any : {user['role']}")
current_user_role = {user['role']} # assigning the user's role to the current_user_role variable
print(f"lets print the variable current_user_role : {current_user_role}")
print(f"lets print what type of variable current_user_role is : {type(current_user_role)}")
admin_role = "admin" in current_user_role # this returned True
print(admin_role)
self.adminPage_link.visible = admin_role
admin signing in
non-admin singing in
I have a feeling your educating me to define a server function and make it callable from the client
something like:
def check_role(user): # <-wonder if I have to pass in user I think I do
current_user_role = {user['role']}
admin_role = "admin" in current_user_role
self.adminPage_link.visible = admin_role
and place in the login function
def login_link_click(self, **event_args):
anvil.server.call("check_role, user")
.
.
please tell me if I’m right if not please show the light 
Not necessarily. What I meant by server functions needing to check permissions is that if a form calls a server function (to do whatever the form does), you have to check permissions again inside the server function. You can’t rely on the permission already being checked in the form, since that’s all client side and could be modified by a hacker.
What you’re currently doing to make links visible or not depending on the role is great. Just remember to also check permissions in any server functions called in those protected forms.
I think I got it - what you’re telling me is that bullet 1 & 2 are good and to just keep in mind on bullet 3 - server functions when they do stuff they should check the permissions as well. solid thank you 
1 Like
