Account Settings accessible by any user - normal?

Hi monday team,

After implementing the Account Settings view in our app, we’ve noticed that any board user has access to the Account Settings view via the app’s item view.
We’ve tried with a user that has only viewing access in a board and the user could still open the Account Settings view from the app’s item view.

From our initial understanding (and from the documentation page), Account Settings should represent global settings that impact the entire account. From our experience, these kinds of settings are normally administrator-only, or at least configurable with a permission rule of sorts.

My question is; is it intended for any user to be able to access account-wide settings?
If not, is there something we might have missed in our app’s design or is it something that should be looked at by your team?

Kind regards,

2 Likes

Yeah. That’s exactly how it works. It’s certainly not ideal by any stretch.

We check for admin permissions using the contents of the JWT token and display a 404 or similar for normal users.

You could also just look in the context to do the same thing.

We considered checking for admin access to, at the minimum, make the settings readonly, but would like monday’s take on the matter. Especially since a user with read-only rights can open the Account Settings.

Did any of your customers contact you after seeing a 404 page?

I completely agree with you that it certainly isn’t ideal.

Anybody from monday can pitch in?

Our “404” page looks like this, so hopefully, the customers understand why they can’t access the account settings.

1 Like

Hello there @Pask,

I believe what @dvdsmpsn is a good approach to avoid non-admins changing these settings if that is what you want for your app.

You can open a feature request here asking for a different way to handle this if that is something you would be interested in :smile:

Cheers,
Matias

Thanks for sharing.

I believe that is also the kind of approach we will have to do.

Hi @Matias.Monday,

Thank you for the reply and the link to the feature request section.
I mainly wanted to know monday’s stance on the subject before creating a feature request.

As I said in my initial post, Account Settings are global settings that impact the whole account. Yet view-only users can access the UI, and nothing about “who can access it” is documented anywhere.

What is monday’s philosophy on the matter?

Thank you

I have created this feature request.

1 Like