As you can see, I have NOT checked “Ignore privacy rules when running the workflow.” Now, I would have thought that in its current configuration, the caller would be prevented from changing the thing.
Hi @harry10, from my perspective as a mere Bubble apprentice, you need to check whether the person who is going to try to access a contract has their name there next to the contract. I believe this is a fundamental step in assessing whether or not access has been granted. For example, your contract ID has someone responsible for the contract on your part and on the other part. If you enter the contract ID and the name of the person responsible for the contract, both situations will have to be true (use the and) to have this type of access, especially to change something contractual. I believe this point needs to be taken very seriously, including with some access log, so that you have your security guarantees.
The Contract thing has been updated by the Anonymous User - guaranteed. But the Created By user for the Contract that was updated is an actual user with a real email address. So I’m confused why Anonymous User was able to change a thing that they did not create when that thing stipulates clearly that only creators of the thing can change it.
That’s the point, there is no verification of (user created by), I believe that a verification could be done before opening contract x, y or z, before executing any action, checking if contract x, y or z belongs to the person who created it.
Yes, you are right, but according to your privacy rule, the current contract can be accessed by the current user, and the current user may be nameless, but it is still a current user, understand? You would need a login screen to validate the person’s entry into this system, it would be a barrier in addition to the privacy rules, because they work, and work very well. But we need to have a better view of who can see it or not. How about making the rule read created by instead of current user? Or current user equal to created by, something like that, it would be possible to test, right? ; )
I clicked “Generate a new API token” under the “API Tokens” section in Settings. So presumably the token has sufficient authorisation to read all data. Is it possible to scope the API key or restrict it somehow?
@harry10 check out the bubble manual on user authentication, it might be what you are looking for, although the need to have the email and password can make it difficult for webhooks.
