How to prevent a user from changing some or all of their profile information?

In some blocks we use the currentuser variable (username or email, it doesn’t matter) to limit the display of a user to a subset of lines.
However, we were unable to prevent the user from modifying this profile information, which would allow him to impersonate a known and different user allowing him to see subsets of data that he normally should not see.
We tried creating a specific role that has no read, write and modify privileges on the internal Users table, but after adding the user to the new role only, the user still has the ability to modify the profile data.

Has anyone had the same problem (and found a solution)?

Our goal is simply to be able to uniquely identify the user by filtering some data for a value that is not editable by the user himself.

Any suggestions are welcome!

The current user/ID remains unchanged. Does the configuration in the screenshot below address your issue?

Hi Zhou, thank you very much for your reply.
The proposed solution is perfect for records created by the same user on the main collection, but my case is slightly different: the records are injected into the table to be filtered by other users or procedures and therefore I can’t use the ID for the filter.

I’m thinking of trying a different approach:

  • I add in the Users table two fields ‘username_ORIG’ and ‘email_ORIG’
  • when the user is added to the User table, a workflow trigger sets username_ORIG and email_ORIG with the values ​​of username and email
  • all users are added to the Members group, which has no read/write privileges on Users (but can change the values ​​in username and email using the ‘edit profile’ menu
  • the filter is implemented with the username_ORIG (or email_ORIG) field, both not editable by the user
  • if the user changes his profile, the filter will not change

I guess it can be a good workaround. What do you think?

This sounds like a feasible approach. However, the fundamental solution is that NocoBase provide the capability to enforce user profiles. I have noted this issue and will schedule development at an appropriate time.

1 Like