I was also reading over @josh’s post here: Josh: Request for a Security Q&A Guide - #18 by josh. Adds some good context.
How do privacy rules work?
Privacy rules are the primary tool in Bubble for specifying who ought to be able to see what data. When designing an application, you should think through, for each kind of data your app will store, who ought to be able to see it. Just the user who uploaded the data? The user and certain other users who meet specific conditions? The general public?
If the answer is not “the general public”, then it is important to create privacy rules. Think of each rule you create as a reason someone ought to be able to see a piece of data. For instance, one reason might be, “I’m the user who uploaded it”. Another reason might be “The user who uploaded it tagged me”. More information on how to set up and use privacy rules is in our manual: https://manual.bubble.is/working-with-data/privacy-and-security.html
Privacy rules get applied whenever your app searches for or retrieves data. Behind the scenes, we add them as extra constraints to searches: if you search for all users, what we really do is search for “all users who the currently logged-in user is allowed to see”. This applies to searches on a page, as well as searches inside workflows: whenever we are running a workflow, we track who the “current user” is, and only show that workflow data that is allowed by privacy rules.
The general rule of thumb is: if privacy rules allow someone seeing data, that person can see it. Don’t rely on hiding things on a page or redirecting to a different page to protect secure data, and don’t rely on not having built a search anywhere that returns the data. Those measures might stop someone from stumbling on data accidentally, but they won’t stop someone determined to view it.
If you need to modify data that the current user is not allowed to see, the best approach right now is to use a scheduled API workflow with the “Ignore privacy rules when running the workflow” box checked. This will run the workflow entirely on the server without sending data to the user’s web browser, and it will remove the restrictions on searches, so that the workflow can retrieve data that the user wouldn’t otherwise be able to access.