Data API Auth problem?

TLDR; Sending GET request with no auth token at all returns results, even with restrictive Data protection rules on the data type.

Any toughts on why authentication isn’t respected here? The Bubble Manual says that auth to the data entity is perfomed through the Privacy rules. I have those in place and the “Everyone else” field is completely empty, which should restrict access to this data object type for unauthenticated users. But this is not the case. So the whole world has access to these data types.

Any suggestion would be appreciated.

Maybe you can share screenshot of your privacy rules ? Also, be sure to be in other browser or in incognito mode.

Sure thing @Jici

image1122×822 64.7 KB

I wonder if there is a flaw in that second rule’s logic

Do you have
A) Items with empty creator? (rare, but not impossible)
B) Items with empty organization?

That was it @Jici thank you. It was B. Item with empty organization. The lack of Org parameter must have counted as and empty field and returned the integrations with empty Orgs. Thanks so much.

Probably my lack of proper understanding of the Privacy rule execution as it pertains to Data API parameters.

To be sure someone cannot access if not logged in, add a constraint for current user is logged in in privacy rules for both A) and B)