Identify non coda users (Client portal)

Hello, new at Coda, so have a couple questions :wink:

I would like to give access to Coda data (in a table of a doc) to a lot of different client, each client can of course see only the data he is linked too. They just need a read access. This is non sensitive data (low security solution accepted :slight_smile: )

First obvious solution is to invite them all, they create a Coda account, I link the data to them in the table and filter based on connected user.
Several downsides for me with this solution: Lot’s of invitation to do, they have to create account, they can put any stupid name they want (like me right now) and difficult for me to know who is who, can’t link data to them until they have made an account, they have coda environnement they don’t care,…

When the documation say “external users” what does it means exactly? Coda user but outside of my workspace? Non Coda user (but how they are identified then, what sort of account is this?)

Another solution could be to create a User table representing all of my clients, with a “token” column which is a code that identify them. I can easily send it to them and then use it to identify them, like puting the token in the document url as a query param (like ?token=ABCD) and filter the table data based on the query param. This is very low security I know, but really acceptable for my non sensitive data in my use case. But I can’t find how to get the url param in any formula. Is this possible to get the url params in the doc? Or other way (cookie, …) ?

Any other suggestions to “identify non coda users” are welcome :wink:

Thanks

1 Like

Hey there @Fake_Fake ! Welcome to the Coda Community!

You can totally do this! I’ve actually done something extremely similar. Ill walk you through some steps you would need to take, and you can also see the example doc below.

  1. Structure your document like I did below and then hide every page that is not the one your clients need to view
  2. Publish your document! This will allow anyone to see/view the data in it without having to create a Coda account. Make sure when you publish under “Interaction and Appearance” that you turn on the option to show pages in the top nav bar - this will take away the universal search bar and help increase security in your low security solution
  3. Once you do all that, and write your filter formulas on the client view page just like I did mine, all the clients will need is their password or code from you and the information on the published website will populate for them

Here is the example doc: (Try typing in aaaa for the code or bbbb)

If you have any more questions reach out, or feel free to share your example doc with me here and I can help you structure it!

Lastly - This post would be much better suited for the “Ask the Community” section. Try posting in there next time.

6 Likes

Nice idea. This looks like what I need :+1:. As an improvement, can we populate the search field from a query param? (so they wont need to copy their code, only click on their url) ?

I dont have any doc at the moment, just looking if it could work in coda before switching anything from airtable :wink:

Moved to Ask the community :slight_smile:

Thanks for the explanation and example :ok_hand:

This is such a creative way to limit access to data! Thank you for sharing!

1 Like

Hey @Fake_Fake

In short- no you cannot do this. You would need to provide the one published link to anyone who needs it along with their code that they would need to manually type in

Heres another solution/workaround (that ill admit is a little bit silly):

  1. Create a document where each row contains the unique information a client will need to see
  2. Plug all the data from a single row (every column) into a single cell using the format() function (way better than concatenate as you can format it with column headers before and bring lots of context to the information)
  3. Create a 2 column form (Column 1 should pull in all the information from your formatted column in the client table and prepopulate it into the URL of the form via the .encodeforurl() formula. Column 2 could be a checkbox that says “I confirm that I read this information” or something silly like that)
  4. Your clients would then “submit” the form. Or honestly they don’t even need to submit it, they have still seen the unique data you want them to with absolutely zero access to any other data in the document (its a little more secure like this)

Yes - its a weird solution, but if you give more context to exactly what you are trying to do, I might be able to provide more specific insight!

@Scott_Collier-Weir I dont really understand how this hack works. If I do, this will only show them some data in one only field?

Here is my use case: I need an app that will manages all the reports some people do about others people. I’m part of formers for basket-ball referees in my region. At the moment (I mean before Covid lol) we evaluate referee when they officiate on court, by watching them, analyse their prestation and then fill a report with some creteria that is send to the federation. This report is then available/viewable by the referee (readonly of course) and by his former (create/modify until it is validated) and by “managers” (validate and smalls edit of the reports like typos…). For now all the reports are made in Excel sheets then send by mail to a manager, converted to pdf, resend to referee, all by hands, saving all results in one Excel sheet on local computer, loosing computer, loosing all of the data… not really 2021 :wink:

I have already created an Angular App based on Airtable data, but as we are Non profit organization we do not have budget for an application (like 1 airtable account and 1 hosting for app, or 1 Coda maker are too high for budget…) and with no budget for maintainng an app… I’m looking for any low-code app that could handle this at low price too.

What I want is an app that:

  • For referees: list + view the reports they received (and which are valdiated)
  • For formers: list the report they wrote + add new reports (and edit until they are in state validated by managers)
  • For manager: list all the reports + validate them.
  • The validation is a status property on each report that prevent formers to send incomplete/incoherent reports.
  • Have this structure on several divisions/leagues. A roles permissions system should handle the idea that you can be referee in one division and a former in another one because some “high level” referees are formers in lower divisions.

So I think all of this could be done in Coda with usuals Coda users, but I would like to avoid the creation of a lot of accounts for the reason I explained on the first post.

Thanks in advance :wink:

@Fake_Fake - Thanks for the thorough explanation! Coda could definitely handle all of this.

I would recommend getting at least the $10 a month Coda account for 1 maker who could then create the doc/apps necessary.

You could possibly do it all on the free account, but depending on how much data you have (amount of reports=amount of rows, you will need some buttons, views, formulas, etc) you may outgrow the free plan.

I would then structure it so that your formers and managers have Coda accounts so they can edit data (reports). Although, you could have it so formers input data through an external form that then gets formatted into a readable and digestible version via some format() formulas in your doc and then pushed into a read-only version on a published doc like the one I shared with you before (where referees input their “Code”)

If you have gmail you could also hook up the gmail pack and have the reports auto-emailed to the referees when validated.

So many options! Good luck making and feel free to reach back out yo the community for support.

Thanks for the explainations, will check that :wink:

If you want a unique clickable URL for each client, showing only their relevant info, my suggestion would be to use separate pages. And share published links.

For each client:

  1. Create a page with all relevant information. (You can even create pages with buttons if that helps make things faster for you).
  2. Then to get the link to a specific page, open the published link and simply navigate to that page
  3. and the last step would be to append ?hideSections=true at the end of your URL.

That token is just another way to (non-securely) limit access to data. I believe it works in both published docs and embeds. The final url will look something like this: https://coda.io/@fake_fake/my-doc/client-page-12?hideSections=true that you can share with each client.

3 Likes

Hi Ryan, Would you be able to point to a doc that does this? Would the separate pages be published individually?

Here is a demo:

The coda doc itself of course should only be shared with the people who should be editing multiple or all pages of the doc.

Now the links for “Betty the Client” and “Google the Client” respectively are:

  • https://coda.io/@movein/published-doc-demo/betty-the-client-2?hideSections=true
  • https://coda.io/@movein/published-doc-demo/google-the-other-client-3?hideSections=true

The doc is only published once. I got those two separate URLs by opening the published link in my browser, navigating to the relevant page, then copying the URL and appending ?hideSections=true to the end.

Note: you must be sure to uncheck “Show pages in top nav”, otherwise the URL parameter has no effect.
image

Note 2: This is not secure. Even if you are careful to hide all links back to the main data, it’s as easy as just changing the url in the browser for someone who really wants to access data not for them. But at least no one will accidentally access data not for them. So if that’s your main concern, you can use this method.

1 Like

Thank you so much Ryan. I appreciate the clear explanation. It’s a neat trick!

1 Like

Hi @Scott_Collier-Weir,
Thanks a lot for this portal solution.
I have actually implemented it, and I use it with clients. And it works pretty well :slightly_smiling_face:

I was just wondering how secure it is? Does somebody can get all the data, using this URL?

What are your recommendations to make it the most secure?

Thank you!

1 Like

At the end of the day, if you share a doc with someone you share the whole document with that person.

This is a very “light” security method. It’s equivalent to putting a knee high chain link fence around a park.

Yes, there is a fence there and for most people it will keep them out. But a little hop and motivation and someone will be over that fence.

1 Like