I am trying to set up some privacy rules with date ranges. Specifically, I’m managing a table of events, and I’d like to make sure that some authenticated users can see everything, whereas unauthenticated users can only see events taking place in the next month, but not beyond that, and not in the past.
Is there a way to do so via privacy rules? I didn’t see any comparison operators pop up as I entered date fields into the selectors… Am I doing something wrong?
The other option would be to have a backend workflow periodically update event records with purpose flags (is_free) or something like that, but that looks much less elegant, and might require an upgrade in my subscription.
Your data is vulnerable to that, unless you put in protections against it.
In your case, the use of privacy rules is not going to protect against it, because you are saying you want to use privacy rules only to show specific results to verified users. If the user is not verified the search, and so the results they could scrape, would only be those from the search and not your entire database.
You are basically just wanting to change the date constraint on a search, which should be done in the search and not privacy rules (can’t be done in privacy rules I believe anyway to use a ‘current date’ operator to show only the next months results…and there is nothing in the privacy rules that allows you to set a constraint on which events date is in the next month.)
I saw your other post requesting more information about security of searches
You will benefit greatly from reading up on security itself…there is a e-book out there on the subject and if you search the forum for ‘Bubble Security’ you should find it.
If you’re really scared of a ‘rogue’ client being sophisticated enough to run some scripts on your site to manipulate your search, then you may want to force the issue with Privacy Rules.
However, as already stated the Privacy Rules will not allow you to do the date comparison you are after. So, one just needs to be creative in thought to come up with an alternative approach to allow Privacy Rules to function.
So, in your case, put onto the event data type a field ‘visible to all’ as a yes/no. Make by default no. Then have a backend workflow that changes that value at a scheduled data/time. This is simply done at time the event is created to schedule a backend workflow to be the date of the event minus one month (or whatever time frame you restrict it by) so that the ‘visible to all’ changes at that time.
Then in privacy rules on the event you can use the field visible to all to match up against a User data field. On the user data have some field to signal if they are allowed access or not…simply done with a yes/no field.
It is more than what I think you need, but your concerns are yours, and so your concern is such that you don’t trust the protection of a search constraint, and require the protection of a privacy rule.