How can I configure Privacy Rules to control data access?

Greetings, Bubble Community! New developer here. I’m migrating from the worlds of Microsoft Power Apps and WordPress, and I’m trying to figure out how to implement privacy rules to help protect my content.

In a nutshell, I’m wanting to create an online learning site similar to but with a combination of both video and written content. I want to upload files for use in lessons for a course that are only accessible by students in those courses. I’ve created the attached schema diagram to give a sense for what I want to accomplish.

Basically, I want to ensure that users can ONLY see text as well as uploaded videos when viewing lessons in courses for which they pay (e.g., User only able to see Video/Text when viewing Lesson 1 in Course A after purchase). I plan to eventually implement access expiry as well, but I need to get this piece right first.

I know I need to implement some kind of security on the File Content/File types as well as the Courses/Lessons, but I’m unsure where to even start. Any help would be greatly appreciated!

Hi @eLPDev,

It seems to me a basic understanding of some fundamental Bubble concepts is more relevant than the specific data schema being used. Fortunately, file privacy in Bubble is pretty straightforward. As documented here, any uploaded file can be attached to any Thing, and then access is controlled through the View attached files permission for that thing. Privacy rules are well-documented in the Bubble manual.

In the particular scenario you describe, one approach might be to attach uploaded content to a “course” and allow the course to be accessed by only users who are logged in and are enrolled in (have paid for) that course.

That said, if you’re considering hosting videos from your Bubble storage, you should be aware that videos take up quite a bit of storage capacity, and MUCH cheaper storage options exist; but of course, you won’t be able to use Bubble’s native privacy features with files hosted on 3rd-party services.



Premium Bubble Plug-Ins

1 Like

Thanks for the response, @sudsy! I’ve actually read over that documentation but am still struggling to make it “click” for my scenario, which I’m sure is due to my newness to the platform/my familiarity with alternative approaches to permissions. I’m still a bit unclear on how to efficiently associate privacy levels with users.

Let me ask this:

  • Should I create a List column in the User type and select all applicable roles?
  • Does Bubble support the creation of “permission levels” that can then be reused on multiple Types (e.g., I create one Full Access role and then associate with each Type)?
  • Is it possible to later associate the same file with multiple Things as an attachment?

In other platforms (e.g., SharePoint), I’d create a group, add users to the group, and then grant that group certain permissions at various points in my app, and those permissions would “trickle down” to lower level items. I’m not totally translating that for Bubble.

Thanks in advance.

I wouldn’t try too hard to make analogies with other systems. Bubble does its own thing its own way. Privacy rules are nothing more than additional constraints applied “at the last second” and on top of any constraints specified in the editor. They further restrict data access server-side.

There are probably a number of ways to structure your data, but one approach might be to set up a Course (or Lesson) data type as I’ve already described (attach uploaded lesson content to it) and have a list of Lessons on the User object representing the specific lessons for which they’ve paid.

A privacy rule could then be created on the Lesson data type which says something like When Current User's Lessons Contains This Lesson and enable the View attached files permission.

Bubble supports Privacy Rules (data roles). Sounds like it might be helpful for you to experiment a bit with the feature, which can be found in the app’s DataPrivacy tab.

Yes, “attached” in the Bubble file sense means “bound” permission-wise. So basically, you “attach” the files to the Thing and then control access to the Thing via privacy rules.

Hope that helps.



Actually, I might have misunderstood the following…

I don’t think I’ve ever tried attaching the same file to different things. I was thinking you meant, can different things access a file attached to some other thing; and that’s certainly possible. Perhaps someone else can shed some light on whether a single file can be attached to multiple things (multiple Lessons attached to the same file for example). :thinking:

1 Like

Thanks for the update, @sudsy. Very helpful comments, btw.

Yeah, I’m wanting to reduce storage requirements by using one attachment on multiple Things.

Anyone have any ideas?

Perhaps create a Lesson File data type to which the uploaded file is attached? That then gives you a custom Bubble data type to which you can control access via privacy rules. Just a thought.


Interesting idea, @shot. So, are you saying that would look something like this, then?

Type: User

Type: Course
Field: Students (User.List)

Type: File
Field: Lessons (Lesson.List)
Field: Course (Course)
Privacy: “Student” → View attached files if User.PurchasedCourses contains ThisFile.Course

Type: Lesson
Field: Files (File.List)
Field: Course (Course)
Privacy: “Student” → View attached files if User.PurchasedCourses contains ThisLesson.Course