Kieran McKewen on 24 Sep 2024 04:44:23
I'm working on a product that allows administrators to manage their report's RLS for other non-admin app users. We already restrict what users see using RLS username + role and separating datasets when generating the embed token.
We are adding the ability for an admin to also restrict what pages of the report a user can see. There's currently a potential security flaw in our product wherein the list of pages can only be supplied via client-side during the display of the embedded report (after token generation).
If there was an optional list of pages we could supply when generating the token then the embedding will only ever show the pages they are allowed to see, regardless of client-side tom-foolery.