I have a data repeater which shows some of the fields of a dataset. Each object in the dataset also contains fields which I would rather not share openly. (To be specific, I am showing driver profiles with first name only, but the data collection contains last name and contact information as well, and I don’t want people to access this).
In the page code, I made some custom filters which respond to user input.
Can someone access the full contents of the dataset through their browser developer tools? If so, how can I prevent it?
EDIT: Right after writing this I tried and realised how easy it is to access all the info. So I’ll refer to my second question again. How can I prevent it?
You can move the query to a function in the backend. Call this function from the frontend, and in the backend function only return the fields that you want to be made available in the frontend.
@yisrael-wix Thanks for that. I will do it. Even so though, is there no way for someone to access the data via the $w(‘#repeater’) element? As in, if they slot in a $w(‘#repeater’).onItemReady and then access the itemData through that.
@alexander51828 Not if you don’t pass the sensitive data to the Repeater. Just send the fields that are OK for site visitors to see.
@yisrael-wix Maybe I’m missing something here. Wix lets me drag a dataset object onto the page and connect that to a base. Does this mean that any time there is at least one field in the base that I don’t want to expose, I should use backend code instead of using the dataset object?
@alexander51828 Although a dataset is added to the page, it does not appear as a component, and is therefore “hidden” from the site visitor. The fields and components in a repeater are bound to the dataset fields - only those fields will appear on your page and the other fields will remain hidden. In that regard, the dataset behaves like backend code and functions as an interface between the data collection and the components on your page.
@yisrael-wix Thanks. The fact that the dataset is hidden makes sense. What’s concerning to me is although you say “only those fields will appear on your page and the other fields will remain hidden”, I can still access the other fields via code in the console.
So for instance if I open up the developer console in chrome and hover my mouse over itemData in the second line here:
$w('#repeater1').onItemReady( ($item, itemData, index) => {
let tags = itemData.coverageArea;
I get to see everything in that item, even the fields that I didn’t choose to show. Now I don’t think I can move this piece of code to the backend as it’s interacting directly with a page element (correct me if I’m wrong, I’m pretty new to this stuff). So it seems I have no alternative but to do what you originally said and completely ditch the dataset<>repeater thing and code it all up right?
@alexander51828 I don’t want to take any chances, so I got in touch with one of the database devs to make sure. I’ll update you when I get his reply.
@yisrael-wix Thanks so much! and just in case you missed it I added another reply above just as you posted that.
@alexander51828 Aha - now I see how you are using it. In this case, backend code might be the answer. Or, maybe there’s another way to handle the dataset. Let’s see what the db says.
@yisrael-wix Yep, I did this because I wanted to show some of the fields in a more custom way. But I’m actually more concerned that even if I move it to the backend somehow, someone could still use the console to access the $w(‘#repeater’) anyway. I feel like as long as the repeater is there and connected to the dataset, all the fields are exposed.
Here’s the reply from the db dev…
Data Set is client only. Client always receives the full item from the backend, regardless of what is bound.
So, in his case, yes, he should use backend function as you have suggested. We will likely work on field level permissions next year, but so far backend functions are the only way.
Thanks a lot for investigating @yisrael-wix ! That’s clear now