Hi - I’m building an “admin” section of my app which should only be accessible to users with an “admin” field value of “yes”
I have created privacy roles that prohibit users from viewing other users’ data, which was easy and straightforward
But my question is related to the modification of a user’s OWN data. In the case of the ‘admin’ field, you can imagine that this is not something that anyone should be able to update on their own. Because if they could set “admin” to “yes” for themselves, that would then grant them access to private admin pages.
So, is there any additional action I need to take to lock down the editing of this field? Or is Bubble “smart” enough that field modifications are ONLY possible when a page presents a user with an input to change the field and a workflow sets that field?
Said differently - if I don’t explicitly let users set their own admin field … am I still at risk of a sophisticated user somehow spoofing a “Current user → admin = yes” field update?
I can help you set this up, we charge by the minute. I recently launched nocodehunter specifically for these use-cases.
Depending on your setup , privacy rules take approx 30 minutes to 60 minutes to configure and test.
Approx cost would be around €45 to €90. If that works for you, feel free to sign up and add your first task.
Since this is a new platform and I’m still in the process of experimenting, your feedback on the pricing, platform and us in general is highly appreciated.
@ed727 thank you. I have read this but mostly was looking for more explicit confirmation of this:
Said differently - if I don’t explicitly let users set their own admin field … am I still at risk of a sophisticated user somehow spoofing a “Current user → admin = yes” field update?
When I define a privacy role, you can specify whether a user can “View all fields” … the lack of an explicit option to define if users can “Modify fields” is the only thing giving me pause here.
Are ALL data write operations sufficiently veiled behind backend logic that would preclude someone nefarious from forcing an update to a database field that is not editable to a user in the frontend of your app?
Thank you. So long as you mean something like hacking into MY bubble app account, that sounds good to me. Just wanted to make sure there wasn’t a way for someone to catch and spoof browser requests to circumvent this.
Hi, I’m just going by what Bubble says in their privacy section that I linked to. Check out the last paragraph entitled “Workflow security”. It says that privacy rules do not apply to workflows. Since data is created and modified via workflows (unless you’re doing it in the editor), if you have any workflows that modify data then Bubble says you need to put conditions on those workflows to prevent an unauthorized person from executing them.
Data can also be modified via autobinding, but you’ll see the option to disable that right in the privacy section.
That’s just my interpretation of their instructions and you’ll need to rely on your own reading… Bubble support is the ultimate expert for anything you are unsure or concerned about or go to some outside expert help.
