Lets say you have a Forge app that includes a global settings page for admins:
modules: confluence:globalSettings: - key: my-app-settings function: admin title: My App Settings
Currently, if a non-admin user discovers the URL for the settings page; it appears that there is nothing to stop them from navigating directly to that page (at least in our testing, that seems to be the case).
Our assumption is that the expected way to restrict access to the global settings page would be display conditions, e.g.
modules: confluence:globalSettings: - key: my-app-settings function: admin title: My App Settings displayConditions: and: isAdmin: true isLoggedIn: true
However this doesn’t currently seem to work, and the documentation for display conditions indicates:
At the moment, only the following Confluence modules support display conditions:
If this is true, how are production Forge apps currently protecting their admin/settings pages from unauthorised access?