Does Add Record API Can add record in table if we remove add Permission from View For Role

Question

Hi, Can somebody help me hereMy question is :Does Add Record API Can add record in table if we remove add Permission from View For a particular Role like Customer. For example like I removed record add permission for a table "Table - A" and I have written some JavaScript in which I am calling add record API on button click and I am logged in as a customer role, but I am not able to add the record.&nbsp; &nbsp;&nbsp;Any help will appreciated. Thanks------------------------------Abhishek Kumar------------------------------

markshnier__you · Answer

If you present a button to a user to do an Add Record API, it will operate on the permissions of the user. if the user does not have permissions to add record, then the API will fail. Note that hiding the Add Record button in the User Interface setting is different from Roles permission to Add Record.

------------------------------
Mark Shnier (YQC)
Quick Base Solution Provider
Your Quick Base Coach
http://QuickBaseCoach.com
mark.shnier@gmail.com
------------------------------

abhishekkumar · Answer

Hey Mark,
Thanks for your quick reply. Just for clarification It does not mean what user token we are using in API call, It will operate as per login user role. Am I understanding right.&nbsp;
For example like : The user token using in API call who has admin permission but I am logged in as Customer role and clicking a button to run that JavaScript. As per your statement this will fail because Quick Base operate on permission of logged in User.
Please correct me If I am wrong. Thanks.&nbsp;------------------------------Abhishek Kumar------------------------------

markshnier__you · Answer

No, if you include a &lt;user token&gt; that that will be the Permission that the API will operate under so in fact the API will succeed.------------------------------Mark Shnier (YQC)Quick Base Solution ProviderYour Quick Base Coachhttp://QuickBaseCoach.commark.shnier@gmail.com------------------------------

austink · Answer

Be very careful including user tokens in JavaScript or API buttons. If a user were to extract that administrative user token they could then do any call they wanted, up to the limit of the permissions associated with that user token.It isn't a common thing to have happen because it takes a pretty knowledgeable user but the possibility is there.

Forum Discussion

Does Add Record API Can add record in table if we remove add Permission from View For Role

4 Replies

Related Content

Button: save the new record and edit the new record

How to add list of attachments on child record from parent record

Get latest child record on parent record

Filter records based on table connection

WHAT HAPPENS AFTER A RECORD IS SAVED

Recent Discussions

Back to basics: Pulling info from a grand-parent table

File Attachment Field in Pipelines

Can I use quickbase actions within the same table?

Question about relationships

Reports & Charts - Managing Client-Specific Name Visibility