I hope this is not too stupid a question, i have built up my app using the search for a thing method with constraints etc, all is working fine. I am now thinking about security and I am trying to use the user roles to make some things on the table only available to the person who created that particular thing. Is this sufficient or am I supposed to be accessing the data on bubble through api calls? Does accessing the data through api calls give an extra level of security or am I barking up the wrong tree here?
The privacy roles is sufficient as far as I understand it.
The API features allow inter-app communication and some other fancy stuff. It isn’t something I have looked at in any great detail yet, as everything I have needed to do has been capable without it.
Thank you for this, still a bit a confused as I seem to be reading some conflicting information, such as this http://softwareengineering.stackexchange.com/questions/286788/what-is-faster-using-rest-api-or-querying-a-database-directly or this http://softwareengineering.stackexchange.com/questions/277701/why-do-people-do-rest-apis-instead-of-dbals tbh a lot of this is a bit out of my depth but maybe someone else here may understand a bit better than me. If the user roles is sufficient I will carry on using that but it would still be useful to know
I don’t think you even can worry about that discussion. Bubble doesn’t give you access to any of the communication between your app’s user interface and database.
It sounds like the functions you’re worried about are all internal, so you’re not connecting to anything outside your app, so you don’t need to worry about using APIs. You can use APIs internally, but that’s a next-level trick that you don’t seem to be asking about. At any rate, the API calls will use basically the same security as everything else in the app. When you write a Bubble API you literally treat the caller as “current user” same as any other workflow.
The user roles seems like the appropriate place to define who, inside your app, has access to what data. That doesn’t mean it’s simple…user permissions can get quite complicated. If you’re storing personal or financial information you’ll definitely want to prioritize testing to make sure there aren’t any leaks.
Thanks that is very informative, Is there anywhere I can get some more info or instructions on using user roles to safeguard data in my app? the only sensitive data in my app will be addresses and names that will appear in one table (cart), if I limit this so that only current user can see the items he has created and the admin role can see everything ,I think I should be ok? All the payment details will be handled by stripe.
That’s something I’ve been postponing digging into 
have you exhausted the forum’s search? That’s where most of the Bubble knowledge resides. For example, this one is informative Two Sided Market Place User Groups, Permissions