Restricting global settings page to admins

Lets say you have a Forge app that includes a global settings page for admins:

modules:
  confluence:globalSettings:
    - key: my-app-settings
      function: admin
      title: My App Settings

Currently, if a non-admin user discovers the URL for the settings page; it appears that there is nothing to stop them from navigating directly to that page (at least in our testing, that seems to be the case).

Our assumption is that the expected way to restrict access to the global settings page would be display conditions, e.g.

modules:
  confluence:globalSettings:
    - key: my-app-settings
      function: admin
      title: My App Settings
      displayConditions:
        and:
          isAdmin: true
          isLoggedIn: true

However this doesn’t currently seem to work, and the documentation for display conditions indicates:

At the moment, only the following Confluence modules support display conditions:

If this is true, how are production Forge apps currently protecting their admin/settings pages from unauthorised access?

2 Likes