Owner and ID fields

simonadams · July 25, 2019, 1:41pm

I have been looking at the security of wix and data collections on websites, I have noted that when a Wix Site is live, Wix says that users can edit and update the javascript code and can view the data collections and information on these collections. I need to have a collection readable by everyone but don’t want everyone being able to see all the data, especially malicious site visitors. For this I am now implementing encryption before data is saved and encryption for when data is called by a query or get data.

What i need to know if there where ever to be malicious site visitor what fields in the data collection can they and cant they see? would they be able to see the collections Owner/ID fields?

Best wishes,

Si

freedfoxworldwide · July 25, 2019, 2:24pm

Where do you read this?
“Wix says that users can edit and update the javascript code and can view the data collections and information on these collections.”

J.D · July 25, 2019, 3:34pm

It doesn’t matter where exactly, because it’s true anyway.
Data on your browser can be viewed by users who know where to look for it (the average user doesn’t know how to do it).
That’s why you should run queries and tasks on the backend if they contain data that shouldn’t be viewed by the users.

simonadams · July 25, 2019, 10:02pm

@jonatandor35 This is very true, but are there any fields that cannot be seen within a collection by the client side, for example the Owner field, because surely that is the most important field? if this is visible to all if all can view a data collection then surely if you hold private information it could be found using the owner field? this is why I am encrypting all data that I receive from customers. please do let me know thought if a field such as Owner can not be seen by malicious users?

J.D · July 25, 2019, 10:06pm

@simonadams the experts you mentioned in the first line of your post will probably be able to answer this question.

simonadams · July 25, 2019, 10:08pm

@jonatandor35 Many thanks unfortunately the experts don’t respond to my questions on the forum any more, not sure as to why. However it would be good for all to know the answer so I will await their response. @Alexander (Wix) @Tiaan - wix-coders.com @Yisrael (Wix)

J.D · July 25, 2019, 10:16pm

@simonadams try after the weekend.

simonadams · August 2, 2019, 12:14pm

has anyone got any answers to this? @yisrael-wix @alexander-wix @brett-haralson

brett-haralson · August 2, 2019, 12:14pm

Hey my friend - Let me see what I can do.

simonadams · August 2, 2019, 12:15pm

@brett-haralson Thank you.

giedrius-grazevicius · August 3, 2019, 7:43pm

Brett asked me to put some light on the subject. So, few things to know:

We don’t hide fields based on where the query originates. All of the fields in the item are available in the frontend, including _owner .
The only fields we do hide are fields marked as deleted. They are unavailable to both backend and frontend until restored.
If only some of the fields should be visible to frontend, as suggested above, query should be performed in the backend and only public fields should be returned to frontend. But be careful to not directly update the item from the frontend in this case. Using wixData.update(…) or wixData.save(…) would lose the fields that were not passed up.

simonadams · August 3, 2019, 8:01pm

@giedrius-grazevicius Many thanks for the response, so with having a collection open to all to read, how would it be best to make sure not everyone could read all items of the collection or even one item if they were a malicious site visitor? At present I have the site with https so that should secure browser to server connection but how do I make sure that all data is the safest it can be. It’s pretty key to what I am trying to achieve. Si