Help with Privacy Rules

Hi, I’m intending to build a calculator app with the following flow:

User enters without registration → User inputs scenario variables → User information is sent to pipedream via API to be calculated/analyzed using python and then pipedream sends back detailed scenario information to app database via bubble data API → Page is loaded with user’s thing’s unique id displaying calculated information, etc.

I’m running into issues with the privacy rules whereby it seems that I have to expose the entire data API to get the webpage load to work correctly and be able to populate database via API.

Is there a setting such that information is visible through the API only if Private Key is supplied, but any user with the correct thing unique id can see the information via the webpage, even if they are not logged in/registered?

Yes, you should be able to do this via Privacy Rules.
It’s possible that your Privacy Rules don’t give access to some important fields which is why this happens.
The Private Key is for authentication and doesn’t have a role to play with Privacy Rules

Can you share what your current privacy rules are?

Thanks for your reply.

So, I’ve effectively got two things in the app. Thing1 records all the values input by the user. Thing1 is then used in the python calculation and produces Thing2 which is a data frame for calculation results from year x to year y linked by a common ID from Thing1 and then put into the database via API. The page in question’s “thing” is thing 1 and then based upon its ID, the values from Thing2 are pulled in for display.

Thing1’s privacy setting “when This Thing’s slug is not empty” view all fields and find in searches.
Thing2’s privacy setting “when This Thing’s timestamp is not empty” view all fields and find in searches.

If the user loads the page for their results’ unique ID, I’d just like them to be able to get the Thing1 associated with it and then the Thing2 associated with that while only allowing the data to be viewed by API if the key is available.

Thanks again in advance for any help you’re able to render!

Oh I see

from a Privacy Settings perspective, you could leave the necessary fields on thing 1 and thing 2 open to public. This is because you don’t have any parameters on the user or the things that can let you identify the nature of the user logged in (since this functionality is being made available to non-registered users).

Are either of thing 1 and thing 2 created by the user (does the workflow to create them run during the current user’s session)? If so, you could use a privacy setting for non-registered users, saying something like this:
For eg on thing 1: when this thing1's creator is current user could be the condition for access

Bubble creates a temporary User thing for even non-registered sessions. So a thing created by such a user would have a parameter (created by) that you can track back to the user on the current session. User data would be lost in a few hours/days of course, so this would be a session-dependent rule.

Thanks again for you help and suggestion. Because the information just needs to be tied together across the reloading of the page with updated information, I assigned a slug to current user and then reloaded page with that user being sent. This let me add fields in the database for linking to that user in both Things and also enabled me to set correct privacy rules. Thanks again!

1 Like