API Workflow privacy rules

gustavo.motta · 2025-02-18T19:34:23.908Z

Hey! I’m building an API Workflow that will be used by an external app, but I’m having a problem with privacy rules.

Basically, I have two tables: Teacher and Products. Each product has a owner(teacher), and each teacher has a user. A product is only visible for a user if it’s owner’s user is the current user, as you can see right here:

image1321×673 38 KB

So I created an API Workflow that log the user in, and return if it has a product. By default, I would only have to do a search for the products and filter by the product I want to check, right?

The problem is, it’s not returning anything, it’s like the current user doesn’t have permission to see any product. Even when I return a search without any constraints it doesn’t return anything, I’m having to check the “Ignore privacy rules” box for it to work, but it’s not really good for performance, so I wanted to make it work just with privacy rules.

Any idea of what I’m doing wrong?

Here it’s the API Workflow and the response:

image348×730 15.3 KB

image352×321 7.68 KB

Jici · 2025-02-18T19:44:52.682Z

A backend WF apply privacy rules. To avoid this, you can use API key (so you can also remove this workflow can be run without authentication)

gustavo.motta · 2025-02-18T19:51:45.447Z

I actually can’t, because I do the authentication on this same Workflow.

My process is like this:

I call this endpoint on my external app, passing the parameters.
I log the user in using the parameters.
Then I do the search.

If I understood correctly the privacy rules and the API authentication, it shoud be working.

By the way, I also tried to split this workflow, making a workflow that can be run without authentication and log the user in, then I use the token and call another workflow, and also didn’t work.

The strange thing is that if I return any other data, the user name for example, it works just fine, it seems to be really a privacy rule problem.

Jici · 2025-02-18T19:59:07.392Z

How do you log in the user? You cannot do that in the same workflow. You need to do that in a separate workflow, this will return an access token that can be used in header after.
Are you following that:

manual.bubble.io

Authentication | Bubble Docs

This reference entry covers how to authenticate with the Bubble Data API

gustavo.motta · 2025-02-18T20:19:29.964Z

I wasn’t, but I had already tried that and didn’t work. Just for fun, I created two more API Workflows and did it like that again, and still the same.

Login API WF:

image713×642 19.6 KB

Second API WF (that should return the products):

image706×549 17.2 KB

The response (its just an empty search, so if the privacy rules were working, it shoud return only the products the teacher owns):

image706×549 17.2 KB

The test code I made:

image689×481 21.2 KB

What it returns:

image509×363 16.9 KB

I also checked multiple times on my database and the user I’m using has products. And if I check the “Ignore privacy rules” box, it works just fine

Jici · 2025-02-18T20:25:29.166Z

Can you try this: Change the GET endpoint to a POST endpoint

Also, are you on version 30? [Upgrade to Bubble version 30] Calls to backend workflows with API tokens fix

Jici · 2025-02-18T20:26:48.021Z

Got a deeper look to your screenshot… doesn’t seem to have any “authentication” error right? Just data not returned as it should? (based on the auth/privacy rules)

georgecollier · 2025-02-18T20:37:09.113Z

As @Jici points out, you should:

Have a backend workflow for logging in a user which has an ‘email’ and ‘password’ parameter
Log the user in action

When called, this will return a cookie that can be used to authenticate a subsequent request to whatever other backend workflow you actually want to call.

gustavo.motta · 2025-02-19T11:39:46.740Z

Yes, exactly! I’m starting to think that is some bug.

My app is on version 30 and I tried to change the method to POST on both workflows, but still the same:

Code:

image656×617 25.7 KB

Response:

image512×363 14.9 KB

gustavo.motta · 2025-02-19T11:42:29.414Z

Already did that, I created two other workflows like you described, it’s on posts 5 and 9. Still does’t return as it should.

georgecollier · 2025-02-19T11:44:11.350Z

What data are you returning from the API? And try adding the token as a ‘Cookie’ header rather than Authorization. You won’t need ‘Bearer’ before either.

gustavo.motta · 2025-02-19T12:06:57.911Z

I’m returning if there is a product the current user can view:

image701×327 14.7 KB

As for the header, I don’t really think it would change anything, because it’s not an authentication problem, if I return the current user name or email, it works, it just doesn’t return the data.

Now I tried showing the products on a repeating group and logged in as the user I’m using, and it looks like the user really doesn’t have acess to the data. So it’s really a privacy rules problem, I just don’t know what. Is there anything wrong with the privacy rules?:

image1316×617 35.9 KB

I’m using 3 data types: User, Teacher and ProductStock. The product stock has an owner, that is a Teacher. The teacher has a user, that is a user. And if I’m not crazy, the rule is saying that when a ProductStock’s owner’s user is the logged user, the ProductStock is visible. I need this privacy rule because the users can’t see each others products.

Am I doing something wrong or forggeting to do something?

georgecollier · 2025-02-19T12:08:43.671Z

CleanShot 2025-02-19 at 12.07.55@2x946×246 59.8 KB

You can’t find it in searches because the privacy rule is too complex.

Add a User field to ProductStock and keep it in sync with the Owner Thing using a database trigger.

gustavo.motta · 2025-02-19T12:16:51.517Z

Is there any other workaround? I would have to create a user field on each table that uses a similar rule, just for that, or I would have to change the entire relationship to use the current user instead of the teacher, which isn’t really semantic, because I have multiple types of users, and the teacher is only one of them.