How can I disable "run as" for app owner and developers?

I am developing an application where encrypted data is kept. Therefore, anyone should not view the information of the users in the live with the “run as” feature. I need to disable “run as” feature including developers and application owner.

image874×189 12.7 KB

I found these options in settings. There doesn’t seem to be an option where I’m allowed to edit but “run as” is disabled. Is it possible to disable this feature?

If there is no way to disable “run as”, how do I know if a user is logged in with “run as”? If I can detect this with a flow, I can log the user out and redirect him to the login page.

The “run as” option only exists for test purpose, only the developers can do it through Bubble’s editor. You will not have users “running as” other users. The develpers have also access to the database, so all the information will be there if they want to see.

I already want to disable it for developers. I know other users don’t have this feature.

I encrypt the data and save it to the database, so when developers look at the database, they will see meaningless strings.

The short answer is you can’t disable the feature, and I don’t believe there is a way to detect when someone is using run as to run the app as another user. Somewhat surprisingly, I don’t see an idea for disabling the feature on the ideaboard, so you might want to submit it.

Edit: Found it on the ideaboard… you can vote for it.

Thanks, I voted

I already thought about it… but this seems to be tricky to implement, as the user who can disable this feature will probably be the one who can enable it back… maybe something that requires approval of more than one person…. Don’t know…

EDIT: furthermore… if the developer really want to see the information, he can also change the privacy settings and became able to see the private data. This is not an easy thing to implement…

Even though… if you are using an API to do it, if the POST is not private, the developer logged in Bubble’s editor can search your server log to discover the raw data sent to be encrypted…

How you do that?

I absolutely agree with you. I think bubble.io should offer the option to disable this feature. As you said, if the developer really wants to see the data, he will find a way. But I still want to complicate things a bit for the developer.

I used a plugin. If you are interested, you can check this link.