ProcFu Help
Search
🗝️

Security

Mini Apps enforce security to prevent unwanted data from leaking out. If you ever do notice data leakage, please submit a support ticket ASAP so we can plug the hole.

Public Screens

For apps with authentication, you will need to log in to see anything (except the login page of course).

To make a screen accessible without logging in, you can set the "public" flag in the editor:

URL Hacking Prevention

Most apps are designed in a master → detail fashion. That means the user sees a summary table of items, then clicks on one for the detail of that item.

What we don't want, is for curious people to start altering the URL to see what else is in the box.

Eg: if your app's detail screen is at procfu.com/myapp/somescreen/1234, we don't want someone to start trying randomly to access:

ProcFu apps enforce that any item to be viewed in a detail screen was FIRST seen in a summary screen.

There are a few use-cases where you may not want this. For example, you have a calculation link in a Podio app that links to your ProcFu app with the Podio item ID coded in the URL. In this case there is no table screen first - the user is dropped directly to the detail screen.

In order to make this work, you need to check the "Security Allow URL ID Override" option:

If this is selected, the app will no longer enforce having seen the item in a table first.

⚠️
IMPORTANT: This opens up your app to the URL hacking exploit. Users can in theory view/edit ANY item in that app.

IP Address Enforcement

If you want to restrict access to your app via IP address, you can add checks in any code event. The user's IP address will be in $_int.ip_address. For example in App Before Process:

$allowed = explode(",", get_var("allowed_ips"))
if ( not(in_array($_int.ip_address, $allowed)) ) {
	throw "Illegal Location: " + $_int.ip_address
}

This is assuming you're storing your list of allowed IP addresses as a comma-separated string in a PF var called allowed_ips. Eg:

(c) 2024 ProcFu for Podio - by Globi | Join the Discussion in our Podio Workspace.