Yep. I just tried to build a small app with this and I don't see anyone to limit access. So the user can just change the URL parameters and read whatever they want from the database. I hope I'm wrong but this is how it appears to be right now.

Great, thanks! That’s cool. Can I limit access at the row level by user, or can logged-in users see all the data in all the tables?

We use MySQL in the backend and it doesn't support native RLS. But you can easily achieve that using user_id = current users id to segregate the data. We are also looking into introducing roles and permission in the coming months.

Yes, I know. The problem with that user_id = current user’s ID is that it requires a separate backend to implement. This is a missing piece in the flow of nocodebackend, it blocks the possibility to use it as the backend itself for this purpose. And the auth flow only make sense with that restrictions. I love how you are integrating new, useful features and hope you can resolve this.

How does that require a separate backend? It's just a payload you need to pass as query parameters in GET and simply proxy it in your front end.
But I think we can cater this as well very easily natively within our code. I can discuss this with my team.
Thanks

If I do it on the frontend, it will be easy to hack. Anyone can change the GET parameters and access information from other IDs if they want. Since authentication does not control access at the row level, it won’t be possible to restrict this using only nocodebackend. That's why I would need another backend to do the filters and confirm it with the current session.

That's not true actually. It uses browser session token to validate each API call. So it's not possible to just change id or URL or anything. That's what the new user auth is doing.
But as I said I'll check with my team to even do the RLS for you so you don't have to.
Thanks

Yes, please check with your team. As I understand it (as a developer), if I want to do this, for example, it won’t be possible to do it in a safe way using only a nocodebackend.

Imagine my frontend is a multiplayer game with two tables: players and items. If two players are registered. Player A and Player B,how is it possible to prevent Player B from reading Player A’s items when both are logged?

We have users creating apps already 🙂. I'm still not sure what's the risk here. What if a user who's the admin wants to see records of all the users including his own? Forcing it to just show only one's records removes the flexibility.

If the app doesn’t need to be secure (like a public blog), it could work. You can build whatever you want, not saying you can’t. Admins should be able to read everything, yes, but normal users shouldn’t!, and that’s a major security problem for anyone relying on this as a security layer. It worries me that you don’t see the security issue here. Was this a response from your team?

No. That's not a response. I'm just asking you what's the security issue you have seen. I would love to see any logs or screenshots. Again, don't take this as a NO to RLS. As I said we will definitely have it in coming time (as it's not there natively).
Simply claiming that the tool is not secure without any actual facts is wrong.
Anyways, thanks for your feedback. Helps a lot.

Oh, okay. I don’t intend to be rude here; I thought I was clear about the insecure point of view I have when I gave you the multiplayer example. However, I will build a demo page to show the problem on a live system.

We will be implementing RLS with an option to enable/disable it.

Thanks for the quick update! That's exactly what I wanted :D