Security issue: all record data exposed


I today found out that when using a list details component to display specific details of an Airtable record, the Softr frontend fetches the entire record with all fields and values (as opposed to only the fields that are being displayed). Therefore, any user can access the full data set of a record in our application.

I expect Softr to only fetch the fields that are actually being displayed. Alternatively, I would be able to select an Airtable View in Softr’s list details components in order to manually limit the fields that are being fetched.


@Reekruit in fact if you use new blocks only visible fields will be exposed. However as a general rule better to split private non private data in case some part of the data is supposed to be visible for all while others not…

Thanks @artur. What exactly do you mean by “new blocks”? I understand if I re-create the blocks then the issue will be fixed?

The problem with splitting public and private data is that our application has multiple different visibility layers. Creating different data layers for each would very much complicate the underlying data structure.

@Reekruit yes updating or adding new block will address it. Feel free to DM me so we can also check in your app directly too

I have this problem too!