Hi, I have the following use case:
I have an external DB containing leads belonging to multiple users (sales persons) users are site members with assigned role (so have to be logged in to view data).
I would like each sales person to see only leads associated with him.
I know I can get the current user email using the wix-users and use the email (or another ID attached to this email as the identifier for the external DB.
My question is, since the FE script is exposed with clear text, couldn’t anyone change the fetch data (e.g. replace the email when fetching external data) and see another user leads? (when users work in same agency the email is not a big secret.
See pseudo-example below
//Getting current user
wixUsers.currentUser.getEmail()
.then((userRes) => {
//fetching the user leads
getUserLeads(userRes) //Anyone can see this line and replace userRes with an email string to his liking
return GID(userRes)
})
I know I can use “external collections” with adapter and attach a dataset with a filter, but I have same issue with local collections and anyway I would like to avoid this if possible.
Even putting this code in ‘onReady’ won’t help as I see it as anyone can see the logic and copy it to another place and run it.
Appreciate any suggestions
Thanks