USEREMAIL() chrome with more than a user logged in

Hello,

(sorry about my english from advance, i’m from Brazil)

I have a situation related to the function USEREMAIL().

I use the function in a App to set in a Google Sheets wich user made the last update. The app is restrict to sign in users.

Recently i noticed emails that don’t have acess to the app set as user who made the update.

I checked the users who have acess again, and it was all ok.

So i made a test and found the problem:
The user was using Google Chrome and had two accounts logged in, one that have acess to the app and another that dont have acesss.

So, to summarize an example:

1. User logged in Chrome with two accounts: hasacess@gmail.com, donthaveacess@gmail.com

2. When he used the App, the USEREMAIL() function set the email as the donthaveacess@gmail.com.

Does anybody experienced the same situation? I instructed the users to don’t use two gmail accounts logged in, but it can happen nevertheless…

Do you mean that you didn’t explicitly share the app to this email address?

Confirm that you haven’t enabled “Allow all signed-in users”:

dbaum_0-1663590152665.png520×530 42 KB

Hi dbaium.

Thanks for the quick reply.

I checked your tip and it was not enabled.

Any more tips that i can check? Thanks is advance to all.

Screen.PNG857×339 23.3 KB

That’s very odd! This may be bug. Please contact AppSheet Support for help with this.

Attn @Aleksi @Rob_Just

Thanks guys for the help. I will contact Appsheet Suport.

Hi guys. Giving feedback on what happened (might help others).

What happened it’s one of my user received the invite and then used another gmail account to log in.

Now, i didn’t know that if an invite were shared with other it would be possible for any other account to have access to all the apps the user i invited has access.

I think it’s a little dangerous that behavior, since the notify and send jnvite is checked by default and i thought that the option “manager users” would give me the control with whom i share and have access to the app. (Similar when we share a sheet or docs in Google Drive)

But i understand it was my mistake not understanding fully the share options.

I appreciate all the help in this forum and from Appsheet support. I simply love the revolution we can make in ou work environment with Appsheet.

Agree!

Can you explain the scenario more precisely so we all (at least I) better understand. Is it one of the following?

• App creator shares app to hasaccess@gmail.com so that user can access the app. If a different user with email donthaveaccess@gmail.com gets a hold of the same link sent to hasaccess@gmail.com, then the second user can also access the app.
• App creator shares app to hasaccess@gmail.com so that user can access the app. That user has multiple email addresses, including both hasaccess@gmail.com and donthaveaccess@gmail.com, associated with the same Google account (e.g., one is for account recovery). As a result, that single user can access the app using any email address associated with the Google account to which the app was shared.

Hi dbaum,

hasaccess@gmail.com and donthaveaccess@gmail.com were not associated with the same user.

Wich seem yo happened it was that: donthaveaccess@gmail.com didn’t have an appsheet id yet (never used).

When he got a hold of the link shared by invite and redirected to appsheet it seem that donthaveaccess@gmail.com get the same appsheet id as haveaccess@gmail.com.

Because even if donthaveaccess@gmail.com get a hold of one simple link shared, when he access appsheet he now has access to ALL apps that hasaccess@gmail.com has.

It’s a strange behavior, i might not fully understand yet or explain, but what i can assure is users who don’t have access and in not in list of users that i shared, having access because of getting a hold of the link shared by invite.

I hope im helping improve security in appsheet with this discussion.

I actually had a similar experience over the weekend. In my case, the fix was to disable the app as a sample app:

Steve_0-1664200570838.png444×541 36.3 KB

Both sample options should be OFF. Click Change visibility to apply the settings.

Thansk @Steve mine were already OFF.

But, nevertheless, i clicked in change visibility.

Thanks for all the help and patience.

I’m not sending the invitation by notify anymore. Bellow is may chat with appsupport about the user sendink the invite to another user and those gaining access. If i’m understanding wrong, please feel free to point me in the right direction.

2022-09-26_08-26.png308×484 30.5 KB

If i find more about this behavior i will post here for the community.