Does Add Record API Can add record in table if we remove add Permission from View For Role

Question

Hi, Can somebody help me hereMy question is :Does Add Record API Can add record in table if we remove add Permission from View For a particular Role like Customer. For example like I removed record add permission for a table "Table - A" and I have written some JavaScript in which I am calling add record API on button click and I am logged in as a customer role, but I am not able to add the record.&nbsp; &nbsp;&nbsp;Any help will appreciated. Thanks------------------------------Abhishek Kumar------------------------------

markshnier__you · Answer

If you present a button to a user to do an Add Record API, it will operate on the permissions of the user. if the user does not have permissions to add record, then the API will fail. Note that hiding the Add Record button in the User Interface setting is different from Roles permission to Add Record.

------------------------------
Mark Shnier (YQC)
Quick Base Solution Provider
Your Quick Base Coach
http://QuickBaseCoach.com
mark.shnier@gmail.com
------------------------------

abhishekkumar · Answer

Hey Mark,
Thanks for your quick reply. Just for clarification It does not mean what user token we are using in API call, It will operate as per login user role. Am I understanding right.&nbsp;
For example like : The user token using in API call who has admin permission but I am logged in as Customer role and clicking a button to run that JavaScript. As per your statement this will fail because Quick Base operate on permission of logged in User.
Please correct me If I am wrong. Thanks.&nbsp;------------------------------Abhishek Kumar------------------------------

markshnier__you · Answer

No, if you include a &lt;user token&gt; that that will be the Permission that the API will operate under so in fact the API will succeed.------------------------------Mark Shnier (YQC)Quick Base Solution ProviderYour Quick Base Coachhttp://QuickBaseCoach.commark.shnier@gmail.com------------------------------

austink · Answer

Be very careful including user tokens in JavaScript or API buttons. If a user were to extract that administrative user token they could then do any call they wanted, up to the limit of the permissions associated with that user token.It isn't a common thing to have happen because it takes a pretty knowledgeable user but the possibility is there.

Forum Discussion

Does Add Record API Can add record in table if we remove add Permission from View For Role

Related Content

Custom Record Titles

Using Grid Edit to Edit Multiple Records at Once

Record Details

Many parent records on a single child record

Copy Records Step - Skipping All Records