Data API Security Issue


We have a paid for element to our app that includes access to particular data. When navigating onto a page, paid subscribers get to see pricing values, whereas non-paid subscribers do not. We have privacy rules that ensure not-logged in users get nothing, logged in un-subscribed users see its existence, but not the pricing, and paid users get the good stuff.

The dataset is quite large and we write into it frequently via the bulk API. We believe therefore that we have to have the data API switched on for this table.

We therefore believe that a bad actor could subscribe to our paid for service, log into the site, and consume the entire table of private data using the data API.

Would this be incorrect, can I prevent this other than switching off the data API and thereby stopping my bulk loading capability?

I am aware that theoretically a bad actor with a login to the site could consume the data page-by-page by some kind of web scrape but Iā€™d see that coming better and we have logging in place to identify and block that


The Bubble documentation around this has massively improved recently thanks to @petter

Access to a specific data type through the Data API is controlled by the Privacy Rules applied to that type

What this means is whatever data your Users have access via Privacy Rules to Read - they also can Read via the Data API for those Tables for which the Data API is enabled. (and as you say screen scrape for any Tables - which is only a mildly more inconvenient alternative access method for a motivated person :slight_smile: )

For the writes you describe, that is an explicit separate permission for the Data API.

1 Like