Community

Changing filters with URL parameters

2100
10
Jump to solution
08-17-2023 08:09 AM
JamesTurner2
by
New Contributor III
‎08-17-2023 08:09 AM

I'm working on an experience builder app that will use url parameters to filter the data sources in the app. The app will be used for outside groups to review some point data. The groups will be provided with a link to the app and the url parameters will filter the data sources so that users only see data relevant to them. There is a web map in the app which displays the data. 

I have gotten the url parameters working. Is there a way to prevent someone from seeing all of the data if they delete the url parameters? The data is sensitive, I don't want someone to be able to expose all of the data in the sources, only the data that the url parameters filter.

Could I use the embed widget to construct a web map with url parameters that uses the filtered data from the experience builder app?

I thought I might be able to set up filters on the data source tab which would hide all of the data (ex. objectID is blank), but the data_filter url parameters don't appear to override those. So even with url parameters, nothing appears in the app.

I tried the solution mentioned here but it doesn't work for the same reason listed above.

Any ideas if there is a solution here?

0 Kudos
1 Solution

Accepted Solutions
Shen_Zhang
by Esri Contributor
Esri Contributor
‎08-21-2023 12:43 AM

Filters set in the data source tab in experience builder will be applied automatically, any further filters made from URL parameters will not replace but added to the current filter. However, it is possible to embed app URL with data_filter parameter to an embed widget. Users can neither see filters applied nor modify them. 

If you would like to make the embedded app to be more flexible, try a dynamic URL - you can replace any value you were using and pass URL parameters from the app URL to the Embed widget at run time to control what appears in the embedded contents. Here's what I tried to do with my configuration:

1. Create a new app and add an Embed widget with a map and a table

2. Copy and paste my app with a filter (here I use dsId:OID<20 as an example). Save the new app, append &exampleParam= to the end of app URL, and refresh the app

Screenshot 2023-08-21 at 15.24.07.png

3. From Embed widget setting, you will see exampleParam in URL info. It can be added to the embedded URL by clicking on it. You can replace any content with {appURL.search.exampleParam}. Let's say we replace value "20" - now the filter changes to 

data_filter=dataSource_3-Feature_NAD1983_8510:OID%3C{appURL.search.exampleParam}

 4. Now save the app, publish and view the app. The app launches with no data in it (as the SQL expression in the Embed widget is incomplete and invalid)

Screenshot 2023-08-21 at 15.33.10.png

5. Add ?exampleParam=20 to the URL. Now the app displays with the corresponding filter applied. 

Screenshot 2023-08-21 at 15.35.42.png

I think this might be helpful as you could customize the parameter name (add multiple parameters if you want), also it gives you the flexibility to control what appears in the app to save some trouble. When deleting the parameter the users will only get an empty app - but if they managed to figure out what it is for (like setting a huge value in my case above), they may still able to see the whole dataset.

Shen Zhang

View solution in original post

0 Kudos
10 Replies
JeffreyThompson2
by MVP Regular Contributor
MVP Regular Contributor
‎08-17-2023 08:58 AM

Counting on url parameters to hide sensitive data is a poor and potentially very dangerous security practice. I think I read someone on this forum a few days ago found a bug that allows users to download all the records in a featureLayer to a csv regardless of any filters applied. If you have different clients that can't see different things, they probably shouldn't be looking at the same Experience or data sources.  

GIS Developer
City of Arlington, Texas
0 Kudos
KenBuja
by MVP Esteemed Contributor
MVP Esteemed Contributor
‎08-17-2023 09:10 AM

Can you set up hosted feature layer views to use in the map that only shows the data that they are allowed to see?

0 Kudos
JamesTurner2
by
New Contributor III
‎08-17-2023 10:32 AM

I agree that is not a great security practice. Even if one of my failed attempts to solve this worked, it wouldn't be secure, but probably good enough for my use case. Exporting is turned off on all the data sources involved.

I could create hosted feature layer views, however I have over 300 different clients who all have a subset of data in the feature service. On top of that, there are actually three services that are in the map which all need to be filtered, but they all have a common field to filter on. 

Hosted feature layer views may ultimately be the way to go, but I'm just not sure how to scale up with such a large number. 

0 Kudos
JeffreyThompson2
by MVP Regular Contributor
MVP Regular Contributor
‎08-17-2023 10:52 AM

If I were doing something like this, I would create a custom widget that extracts the user information. I'm not sure where I have seen this. WidgetProps.Context maybe? But somewhere, there is a record of the user's name and what groups they belong to. Then I would filter the data based on who the user is, I think this should be easier and more secure than trying to make it work from url parameters. At least ,this way you are outsourcing security to ESRI's authentication. Of course, this requires using developer edition.

GIS Developer
City of Arlington, Texas
0 Kudos
JamesTurner2
by
New Contributor III
‎08-17-2023 12:51 PM

While that is outside of my scope of knowledge, that might be a solution that applies to outside of this project and worth pursuing. I'm not familiar with any of the components that the developer edition is built on. With a custom widget, could you write the code so it looks up the username in a list and then filters on the return value? 

0 Kudos
JeffreyThompson2
by MVP Regular Contributor
MVP Regular Contributor
‎08-17-2023 01:40 PM

It might be difficult, but it should possible.

GIS Developer
City of Arlington, Texas
0 Kudos
Shen_Zhang
by Esri Contributor
Esri Contributor
‎08-21-2023 12:43 AM

Filters set in the data source tab in experience builder will be applied automatically, any further filters made from URL parameters will not replace but added to the current filter. However, it is possible to embed app URL with data_filter parameter to an embed widget. Users can neither see filters applied nor modify them. 

If you would like to make the embedded app to be more flexible, try a dynamic URL - you can replace any value you were using and pass URL parameters from the app URL to the Embed widget at run time to control what appears in the embedded contents. Here's what I tried to do with my configuration:

1. Create a new app and add an Embed widget with a map and a table

2. Copy and paste my app with a filter (here I use dsId:OID<20 as an example). Save the new app, append &exampleParam= to the end of app URL, and refresh the app

Screenshot 2023-08-21 at 15.24.07.png

3. From Embed widget setting, you will see exampleParam in URL info. It can be added to the embedded URL by clicking on it. You can replace any content with {appURL.search.exampleParam}. Let's say we replace value "20" - now the filter changes to 

data_filter=dataSource_3-Feature_NAD1983_8510:OID%3C{appURL.search.exampleParam}

 4. Now save the app, publish and view the app. The app launches with no data in it (as the SQL expression in the Embed widget is incomplete and invalid)

Screenshot 2023-08-21 at 15.33.10.png

5. Add ?exampleParam=20 to the URL. Now the app displays with the corresponding filter applied. 

Screenshot 2023-08-21 at 15.35.42.png

I think this might be helpful as you could customize the parameter name (add multiple parameters if you want), also it gives you the flexibility to control what appears in the app to save some trouble. When deleting the parameter the users will only get an empty app - but if they managed to figure out what it is for (like setting a huge value in my case above), they may still able to see the whole dataset.

Shen Zhang
0 Kudos
JamesTurner2
by
New Contributor III
‎08-25-2023 12:21 PM

Thank you @Shen_Zhang! This is exactly what I was looking for. I didn't quite understand how to set this up reading the documentation on dynamic URLs, but you're example brought it together. I'll use a GUID as the filter parameter, so it's highly unlikely that someone will be able to access other data.

0 Kudos
PaulLohr
by
Occasional Contributor III
‎02-09-2024 06:07 AM

Why not provide filtering capabilities in the Map Viewer using URL parameters? Going further, why not have parity between the Map Viewer and the mapping web apps in terms of URL parameters? 

Map Viewer URL parameters: https://doc.arcgis.com/en/arcgis-online/reference/use-url-parameters.htm

Experience Builder URL parameters: https://doc.arcgis.com/en/experience-builder/latest/build-apps/url-parameters.htm

0 Kudos