I’m building an app that allows Users to upload and download content. One of my Alpha users has asked if I, or any of my employees, have acces/can see what they have uploaded. I’ve set Privacy rules so that only the Content’s Creator can see the file when you view the site, but the Bubble Data section obviously allows me to see anything that’s been uploaded.
I could use AWS as an uploader and restrict access to a file to only load through my URL, which could prevent viewing through the Bubble backend (as only a link would be shown), but I imagine I’d still be able to login to my AWS account and see what’s been uploaded?
It will be very hard to do. Either a database is visible to admins, or else it’s completely locked down. There was some discussion around it here: Encrypt database
I’ve actually implemented AWS S3 using Zeroqode’s AWS Uploader and set S3 to only allow access through my domain. So my team and I can’t see/access the files on AWS and the only thing they can see on the Bubble backed is the AWS address. And with Bubble Privacy settings to only show content to its Creator, I think I actually found out how to do it to an acceptable degree.
But you still have a problem with the “run as” if I’m not mistaken. If you login as X user from the User data type you can login as any user and see their files doesn’t matter what Privacy Rules you put in place. Can you confirm this please? As I am trying to push so that Bubble adds a means to not allow Bubble owners to see their customer data, including files.
For anyone who is interested, Bubble have finally added a feature to remove the “Run as”.
(8/25) For collaborators on your app, there’s a new permission level for accessing the data of your app that lets the collaborator see the data, but not use “Run as”. @zoe
