Help

Field Permissions Behavior with Scripting App

Topic Labels: Scripting
Solved
Jump to Solution
723 2
cancel
Showing results for 
Search instead for 
Did you mean: 
JudsonSHigley
4 - Data Explorer
4 - Data Explorer

Hello All,

After discovering Airtable through a colleague in a similar area, my office has been using it to manage temporary staffing. 

Despite the trend towards (and admitted usefulness of) low-code and no-code third party solutions, I am lucky to have a formal computer science background and as such have found the ability to weave varying levels of hard code into my organization's platform in a way that (mostly) integrates well with extant declarative tools and elements uniquely useful.

Getting to the actual issue at hand, I am putting together a solution through an instance of the scripting app to run on the press of a button that takes select fields from the input record, concatenates them into a large string, and hashes them into a (semi)unique password to be used in a separate email validation process.

Collision is a non-issue and the hash has no need to be cryptographically secure, but it is important that the resulting value, which is stored in a plain text field, remain immutable in order for the validation process to work. 

I had planned to accomplish this by setting the field permissions to only allow my specific account to modify the field, but realized that the process in which this script is used involves other users actually clicking the button that initiates the script's execution. The only available loophole options are to allow form modification of fields and to allow automations to modify fields, suggesting that only forms and automations are able to bypass the permissions check. 

So, question is, when evaluating permissions prior to field modification, does Airtable's implementation check the permissions of the account initiating the process that results in the script's execution or does it allow button-initiated scripting extension executions not involving any manual input to bypass permissions checks entirely? Also, if the former is true, will checking the box that allows automations to bypass this check result in scripting extension executions to bypass it as well?

The only other forum article I could find on this subject was this one: https://community.airtable.com/t5/product-ideas/field-permissions-to-allow-for-script-manipulation/i... from 2020 which had no responses (as it was a suggestion) and did not specify whether or not the original poster had tested the mentioned functionality or just assumed that the lack of a scripting extension-related permissions option resulted in an error when initiated from a forbidden account.

(Sidenote: I realize I just described an assumption above that I seem to have made as well; there is a reason I cannot test it myself at the moment, and I also figured I could ask here for a clear answer without having to screw around with teasing one out myself)

Thanks!

1 Solution

Accepted Solutions
kuovonne
18 - Pluto
18 - Pluto

Scripting extension always checks the permissions of the current user. This applies if the user runs the script from a button field or directly in the extension dashboard. 

Automation scripts are unaware of who triggered the automation, and thus are never restricted by the user’s permissions. This is true even if the user pushed a button element in an interface to launch the automation script. 

You can either train and trust your users, or lock down the field so that only automations can set the field. Then have the user trigger the automation, either through modifying an editable field or by pressing a button element in an interface. 

Note that button fields that you create in the grid view to run a script are disabled in interfaces. 

See Solution in Thread

2 Replies 2
kuovonne
18 - Pluto
18 - Pluto

Scripting extension always checks the permissions of the current user. This applies if the user runs the script from a button field or directly in the extension dashboard. 

Automation scripts are unaware of who triggered the automation, and thus are never restricted by the user’s permissions. This is true even if the user pushed a button element in an interface to launch the automation script. 

You can either train and trust your users, or lock down the field so that only automations can set the field. Then have the user trigger the automation, either through modifying an editable field or by pressing a button element in an interface. 

Note that button fields that you create in the grid view to run a script are disabled in interfaces. 

Exactly the answer I was looking for, thank you.