File access rules
Control who can view, upload, edit, and delete files and folders in your Fliplet apps. File access rules let you set permissions at the organization, app, folder, or individual file level — ensuring sensitive documents are only accessible to the right people.
Access rules are managed from the File Manager in Fliplet Studio. Fliplet Studio users always have full access to all files — access rules only apply to app users accessing files through a published app.
Contents
- How access rules work
- Viewing access status
- Managing access rules
- Rule settings
- Rule evaluation and inheritance
- Pre-configured rule templates
- Custom rules
How access rules work
Each rule specifies who is allowed access (all users, logged-in users, or specific users), what they are allowed to do (read, upload, update, or delete), and which apps the rule applies to. Rules are evaluated in order from top to bottom — the first rule that matches determines the outcome. If no rule matches, access is denied.
Access rules are enforced on the server for every request, including file downloads, thumbnail generation, and API access.
Viewing access status
The File Manager shows the access status of every file and folder at a glance:
- Access column — Each row in the file list displays the allowed actions (e.g., “Read, Create”) or “No access rules” for items without rules.
- Folder security card — When browsing a folder with no items selected, the right sidebar shows the folder’s access summary and an Access rules button.
- Selected item — Selecting a single file or folder shows its access status in the right sidebar.
Managing access rules
Who can manage access rules
Permission to edit access rules depends on your role in the app or organization:
| Context | Roles that can edit rules | Roles with read-only access |
|---|---|---|
| App files and folders | Publisher, Editor | Viewer, Tester |
| Organization files and folders | Admin | Standard users |
Read-only users see a View access rules button instead of Access rules. The Access Rules panel still opens so they can review what’s configured, but the toolbar is hidden and a banner indicates that editing is not available.
Open the Access Rules panel
Open the Access Rules panel from any of these locations:
- Click Access rules (or View access rules) in the right sidebar folder card, when no items are selected.
- Click the current folder or app name in the breadcrumb bar and select Access rules.
- Select a file or folder, click Actions, and choose Access rules.
Add a rule
- Open the Access Rules panel.
- Click Add new rule and choose Create my own rule, a pre-configured template, or Create a custom rule using JavaScript.
- Configure the rule settings.
- Click Add rule.
- Click Save & Apply to save all changes.
Edit a rule
- In the Access Rules panel, click Edit on the rule you want to change.
- Modify the rule settings.
- Click Confirm to update the draft.
- Click Save & Apply to save all changes.
Reorder rules
Rules are evaluated top to bottom — the first rule that matches a user’s request determines the outcome, and remaining rules are skipped. If no rule matches, access is denied. Drag a rule by its handle (the dotted icon on the left) to change its position. Click Save & Apply after reordering.
Enable or disable a rule
Toggle the switch next to any rule to enable or disable it without deleting it. Disabled rules are skipped during evaluation. Click Save & Apply to save the change.
Delete a rule
Click Delete on any rule to remove it from the draft list, then click Save & Apply to confirm.
Rule settings
Each rule has four settings: who is allowed, what actions they can perform, which apps it applies to, and what happens when the rule doesn’t match.
Allow (who the rule applies to)
| Option | Description |
|---|---|
| All users | Anyone, including users who are not logged in. Use this for publicly accessible files. |
| Logged in users | Users who have signed in through any login component in the app. |
| Specific users | Users whose profile matches conditions you define (e.g., Email equals a value, Department contains “Engineering”). |
| Data Source Entries | Access based on matching records in a data source. Grant access when a data source entry references this file in a selected column, optionally filtered by conditions. Only available for file-level rules — not folders. |
| Specific token | Access limited to a specific API token. Use this for automated integrations (e.g., Zapier, external systems). |
Users can (allowed actions)
| Action | Description |
|---|---|
| Create / Upload | Upload files or create subfolders. Only available for folder-level rules. |
| Read | View and download files. |
| Update | Modify file content or metadata. |
| Delete | Remove files or folders. |
Applies to (app scope)
- All apps — The rule applies to all apps that use this file or folder.
- Specific apps — The rule only applies to selected apps.
Note: This setting is hidden for organization-level rules, since organization files are not associated with any app.
When this rule does not grant access
- Continue (default) — If this rule doesn’t match, evaluation moves to the next rule in the list.
- Stop — If this rule doesn’t match, access is denied immediately and no further rules are evaluated. For example, you can place a “Logged in users” rule with Stop at the top of your list — any user who isn’t logged in is denied right away, before any other rules are checked.
Rule evaluation and inheritance
Evaluation order
When a user requests access to a file or folder, the system evaluates rules in this order:
- The item’s own rules (top to bottom).
- The parent folder’s rules (if the item has no own rules).
- Up the folder hierarchy until rules are found.
- The app-level or organization-level root rules.
- If no rules match at any level, access is denied.
The inheritance chain depends on where the file lives:
- App files: file → parent folder → app root
- Organization files: file → parent folder → organization root
Inheritance
Files and folders without their own access rules automatically inherit rules from their nearest parent that has rules defined. This means you can set rules once on a parent folder and have them apply to all contents within it.
When a file or folder has its own rules, those rules take full precedence — inherited rules are not evaluated.
The Access Rules panel shows inherited rules in a read-only section below your own rules, labeled “Inherited from folder: [Name]”, “Inherited from app: [Name]”, or “Inherited from organization: [Name]”, with a link to edit the parent’s rules directly.
Pre-configured rule templates
The Add new rule dropdown includes ready-made templates for common scenarios:
| Template | Description |
|---|---|
| All users can read | Public read access for anyone. |
| All users can upload | Public upload access for anyone. |
| Logged in users can upload | Only authenticated users can upload files. |
| Logged in users can read | Only authenticated users can view and download files. |
| Logged in users can read, update and delete | Full read/write access for authenticated users. |
| Deny access | Blocks all access. Uses the Stop setting, so no rules below it can override the denial. |
Each template can be customized after adding it to your rules list.
Custom rules
For advanced scenarios, you can write custom access rules using JavaScript. Select Create a custom rule using JavaScript from the Add new rule dropdown.
Custom rules use the same scripting model as data source custom security rules. See the developer documentation on file access rules for the full scripting reference, including available variables and return format.
Related Articles