Hello,
I have an “Events planner” application, to be used by my colleagues. Staff create an event via a form, it syncs to Airtable, their Outlook, etc., very easy. Events get saved in a list block; clicking through a list details block for full details. Only people assigned to the events can edit them, and other associated actions.
One such associated action for these assigned users is adding tasks for an event. Tasks go on a seperate table, but are linked with a linked record field. The “add task” page is a seperate list details page, but which shares the same record ID; the page uses a Fillout form with some code and hidden field to associate the task with the original event record.
My issue is: although I can show/hide the action button to open the “add task” page based on a user’s conditions, the actual URL of the page itself could in theory be accessed by anyone who pastes the URL and the record ID. So, effectively, anyone could in theory add a task to an event they’re not assigned to.
Ideally, I’d like to be able to hide the visibility of the whole “add tasks” page using User groups, but to my knowledge, this only accepts static values. (e.g. I can’t create a user group such as "Logged in user’s Events is one of current page URL). Whereas a user might need to be able to add tasks for one event, but not another.
Don’t suppose anyone might have any ideas for how to address this?
Much appreciated,
Matt