Bypass privacy rules on non-authenticated quote page

Need help Database
1

Hello fellow bubblers, newbie checking in :slight_smile:

We have a case where we are building a multi tenancy application where users belong to a company and they can create quotes which their customers should be able to view and accept/reject. Data types and relationships described in the end.

Everything is connected to company where we use privacy rules to make sure that a user can only see the customers, quotes, etc. which is connected to their company. For instance: when "This quote line item's company is Current User's company".
We tried to avoid setting company on every data type, but Bubble doesn’t seem to support complex security rules, as described in this post: Rules that use "This Attendee's X's Y" can't grant search access right now.

After locking down everything, security seem to be doing its job and users can only see relevant data. But we want to create a special page where the customer - who doesn’t have an account - can review, accept and/or reject the quote/offer. The page will contain a mix of company, quote and quotes related information. So far we’re sending the customer a special link with the quote unique id built in, but of course they aren’t able to see any information since the security rules are in effect. It is security by obscurity, but we’ve deemed it okay for now. Perhaps we’ll add OTP or some other verification method in the future.

Is there any way we can bypass the security rules for a page/view so we can achieve this? Or perhaps even utilize the security rules somehow? I saw a suggestion in another thread to use the api workflow + api connector, but I figured it would be best to ask here first.

Feel free to chime in with other concerns or questions for that matter.

Thanks!

Data types we decided on after browsing through some of the articles, videos and forum posts:

  • Company

  • User

    • connected to one company

  • Customer

    • connected to one company

  • Quote

    • connected to one company
    • connected to one customer
    • connected to multiple quote line items

  • Quote line item

    • connected to one company

  • Other data connected to the quote, such as material list, pictures, etc.

2

Interesting idea. I’m sure another Bubbler can come up with a more efficient way, but you could set up a field on the user ‘auth’ yes/no. When an authenticated page is loaded, auth gets set to yes, when non-authenticated page is loaded auth gets set to no. Then in privacy rules, Current user is company’s user / Current user’s company is quote’s company etc plus an ‘or Current User’s auth is no’.

This has the disadvantage of modifying/checking a thing every time a page is loaded. Perhaps someone will come up with a better suggestion :slight_smile:

4

Thanks for the response @georgecollier, I appreciate it :slight_smile:

It sounds like that could work, but I’m a bit concerned about the security. Wouldn’t that mean that the Bubble api could be anonymously used to fetch all the data (regardless of company) that is set up with this security rule?

5

You can just change the or statement to with us no and current user’s company is quote’s company etc

Make sure that doesn’t throw the error though, not sure if it would work