Appearance

Updating visuals

If you see any images containing outdated UI, please bear with us.

We are updating all content as quickly as possible to mirror our new UI.

Academy

Want to learn how to implement secure user access controls? Check out our Scale your web app course which covers roles, permissions, and best practices for securing your application.

Private pages ​

Pre-requisite

To make a page private in WeWeb, you first need to have added and configured an authentication provider in the Data & API tab. Learn more about integrating providers.

For authenticated users ​

Once you have configured an authentication provider, you can control who can access each page.

To configure private page access:

  1. Open the Pages panel in the Interface tab
  2. Click on the page you want to configure
  3. Click on Private access in the page menu
  4. Choose between Everyone or Authenticated users

Limit access to authenticated users

If you choose the Authenticated users option, the page will only be accessible to users that are logged in.

TIP

Inside the WeWeb editor, you will be able to access all pages, including private pages, even if the user is not logged in. This was done to avoid users being stuck when building in WeWeb.

WARNING

When configuring redirections in your authentication settings (in the Data & API tab), make sure you redirect unauthenticated users to a public page. If you redirect unauthenticated users to a page that is only accessible to authenticated users, you'll be creating an infinite loop and your app will crash.

For user groups ​

If you have defined user roles in your backend and configured user groups in your authentication settings, you can restrict access to specific groups.

To restrict page access by user group:

  1. Open the Pages panel in the Interface tab
  2. Click on the page you want to configure
  3. Click on Private access in the page menu
  4. Select User groups and choose which groups can access the page

Limit access to user groups

TIP

Inside the WeWeb editor, you will be able to access all pages, including private pages, even if the user is not part of the required user group. This was done to avoid users being stuck when building in WeWeb.

WARNING

When you add several roles to a user group, a user needs to have BOTH these roles to be part of the user group. It's an AND statement, not OR.

In the example below, the members of the Premium customer user group must have both the Customer and the Premium roles associated with their user profile:

Add user groups

Security ​

It's important to understand that gating content and making a page private is more of a UX feature than a security measure.

It is best practice to gate content because, by making a page private, you make it clear to users that they are not allowed to access the content on that page.

However, security always happens in the backend. To protect your data, you must secure the API endpoints or tables in your backend, even if the page that triggers those calls is private.

In other words, if users need to be authenticated or have a specific role to view or edit data, your backend should have access control checks that ensure that users have the proper authorizations when trying to access or update data.

Learn more about securing your web-apps here: