Hide URL

cryptoirt · July 31, 2021, 6:18am

Hey guys! Is there any way to hide or mask the URL?? I want to hide the ID part when a user login for security issues. Thank you!

Certified_Code · July 31, 2021, 6:20am

no. Impossible no matter you are using a website builder or no.

What do you mean by the “ID” part?

You can always use database to store private info.

anon72313111 · July 31, 2021, 6:57am

Hi there,

The login process doesn’t have anything to do with the actual URL of the page, so there’s nothing to worry about, furthermore, the URL cannot be hidden or masked.

cryptoirt · July 31, 2021, 6:16pm

Mm that´s a problem. On my website when a user enters to his members page, the URL shows something like /members/{ID} and, because i have the members database set to “anyone can see the database”, it is enough that someone knows a user ID of another person and copy and paste in the URL so that he can enter that account. He couldn´t do any changes but the fact that any user profile can be seen, it is not good.

I know that a solution will be setting the dataset to “members only” but if i do that, “My account button” that links to the user page, stop working.

Here is the code of “My Account” button. Maybe you can recommend a useful correction.

$w.onReady( () => {
$w('#profileButton').onClick((event) => {
 $w("#dataset2").onReady(() => {

 let $item = $w.at(event.context);
 let currentItem = $item("#dataset2").getCurrentItem();
 let dynamicPageID = `${currentItem._id}`

})
})
})

@Ahmad
@Certified Code Global

anon72313111 · July 31, 2021, 8:18pm

You’re talking about security while your website is exploited and vulnerable to malicious activities, do you know that using datasets exposes all the data of your users? Make sure to include that in your privacy policy.

To take a secure approach, first, you need to forget everyhting about datasets and dynamic pages, and handle everything in the backend, set all your collections permissions to “Private”, and access the data securely on the backend, and replace your dynamic pages with router pages, examine the current logged in user ID with the ID of the data owner, and only grant him permissions if the IDs match.

There is a lot to do if you’re taking the site security seriously, I recommend consulting a development agency about your site security, take actions and update your privacy policy accordingly.

cryptoirt · July 31, 2021, 9:24pm

I am not aware that datasets are that much vulnerable. Wix should inform something about this before start using those tools.

Thanks for the advice, i am just testing and learning about coding so in future i can make a well secure website. Do you know any guide where i can start learning about backend users data and router pages?

CODE-NINJA · July 31, 2021, 9:31pm

Good question. I had the same already since weeks on my mind.

anon72313111 · July 31, 2021, 9:32pm

Wix gives you controls over the datsaet, you can set the permissions as needed, inclusing a member-only content, I was talking about your specific use case.

I don’t know any at the moment, but I’ll create a complete guide in this regard in a few days.

anon72313111 · July 31, 2021, 9:35pm

@russian-dima what is the question??

CODE-NINJA · July 31, 2021, 9:57pm

About the security of datasets.
For example, why there is no hint on it in the docs? (Is there a hint which can be found on this topic?)

A bunch of people surely designs creates their websites using datasets.
It’s quick and much more comfortable and easier to use then to code by own.
No matter of loosing flexibility.

But → security-risks? ← This should normaly be mentioned in the docs, shouldn’t it? Or even should be described, how to do it the right way.

Just my opinion.

cryptoirt · August 1, 2021, 1:39am

@russian-dima Totally agree. There is a lack of information about these security issues.

I recently found this, but it is still scarce.

anon72313111 · August 1, 2021, 5:01am

@russian-dima and @cryptoirt the APIs clearly state that when using the dynamic dataset, the whole item (including all of its fields) is returned to the frontend using the getCurrentItem( ) , so if you have a sensitive field in the database, using datasets will end up exposing all the fields of that item to the frontend, so there’s nothing on Wix in this regard.

Also, you can set permissions on the collection to only allow the data owner to access their data, this way the item will only be exposed to its data owner, but even in this case, there might be some fields you do not wish to expose to the client, Wix gives you control from making the collection strictly private, to opening it to the public, and everything in between, it’s your responsibility to ensure you use the right permissions to protect your data.

Datasets that display all items in a repeater also allow you to see all the items in the same way the dynamic datasets do.

The bottom line, Wix has nothing to be blamed on

Topic		Replies	Views
Dynamic Page URL Ask the community code , wix-members-area , question	4	170	February 7, 2019
Visibility of site element based on dataset Ask the community code , question	1	123	November 2, 2022
Hide Page URL Ask the community code , question	10	1767	May 16, 2018
Display Member Specific Info (Dynamic Page vs Member Private Page) Ask the community code , question	12	672	September 28, 2022
Javascript responds to Data Ask the community code , question	9	184	April 1, 2020

Hide URL

Related topics