How to Handle Permissions for Deep-Linking

Hello all,

I have a setup with two pages. The first page displays a list of all of a user’s “Things”. The second page displays a detailed view of each Thing. The user can get to the second page by clicking on a UI element on the first page, which will do a page navigation to the second page.

This navigation is set up to pass the Thing’s unique id as a url parameter, which the details page then uses to query the Thing. The reason it is set up this way is to allow “deep linking”, so a user can share their Thing with other users. The set up is currently working correctly.

However, I am running into a conceptual challenge when it comes to expanding this functionality. Suppose a user wants to have the OPTION to share a Thing with other users, by setting a field on the Thing. In this case, when a user arrives at a link, there needs to be an authorization check.

One idea I had was to have a group which obtains the Thing from the url parameter, then has a conditional that only displays that thing if the Thing’s owner is the current user or the setting of the thing is set to “public”. However, I am unsure of how bubble handles this internally? Does it retrieve the Thing on the server, perform the conditional check, and then send the data to the user if it passes? Or does the user receive the data and only display it if the conditional passes? If the second, this approach exposes data to the user that they shouldn’t have.

Another idea I had was to perform an initial query for authorization which returns a simple “yes” or “no” (based on the parameters above). If this is successful, then the user could fetch the Thing as normal. However, I don’t know how I would go about doing this properly. In addition, I believe this will require two queries to obtain the item.

Is there a third option that I’m missing? Or am I incorrect in my concerns about one of the above? Any tips from people who have done similar things are appreciated.