Hi, I have a problem that I’m hoping someone can help with. There are other similar posts but I can’t find anything that directly addresses my challenge.
My situation is this: I have an app that allows a user to input a guess, and I need to compare that to an answer in my database that I don’t want to make visible in the browser console.
Right now, I’m storing the user’s guess in the database and then I have a workflow step that compares the user’s input in the field to the answer in the database. The problem is that the answer is being displayed in the browser console, so people can see it when they shouldn’t be able to.
I’ve tried modifying the permissions on the answer data, but when I make it private and not searchable it still shows up in the console.
For these types of checks where you don’t want to expose the answer on the browser console the best approach is to actually create privacy rules that stops the user from seeing that data, and then create a backend workflow that bypasses privacy rules where you can run the search and then return a boolean stating whether it was the correct answer or not, or any extra data you may need but you don’t want to expose on the client.
This will ensure that the sensitive data effectively never leaves the server, it’s not accessible to the user if they know how to query it, but the info you need is returned correctly.
This is a very common flow, the most common one being vouchers and promocodes - you don’t want the user to be able to view any promocodes, but you need them to be able to check for their existence and return the data related to the checked promocode.
In bubble, calling your own backedn workflows is a bit tedious, but this topic might be useful:
Is the ‘admin only’ rule the only rule you have applied?
Are you on the same version/branch on the editor and run-mode? (ie live vs dev vs other branch)
Do you tend to rename fields?
Bubble has an issue that it doesn’t actually rename the underlying fieldNames when you rename the bubble display names.
I can see that there are only exposing 4 fields, and there are only 4 fields exposed on the browser. You can see that they each have a slightly different name ( ’ ’ → ‘_’ aside)
Is it possible that the fields you are seeing are the ones that are actually exposed?
Using the debug tool’s inspect mode, check what the display name of the data being loaded are
