How to securely implement 'anyone with this link can view this page'

How can I set up ‘anyone with this link can view this page’-type functionality, similar to when you share a Google Doc?

Example from Google Docs:

Context:
I have a site which has only two data types: ‘Users’ and ‘Prospects’. My site has 2 pages.

Both pages are set to have the type ‘Prospect’. Each page contains elements like files, videos, and text, which are populated dynamically when the page loads based on which Prospect is used to populate the page.

Screenshot 2020-09-16 at 12.30.23

My goal is that only people who have a specific URL (one which includes a valid prospect identity) should be able to view the pages.

To avoid people being able to load these pages by simple guessing the URL, I have added a random 6-digit number to the end of the ‘slug’ field for each prospect. I have put all of the elements of a page into a group, and set the group to only be visible if: ‘search all Prospects contains Current Page’s Prospect’:

Screenshot 2020-09-16 at 12.21.55

For example: 应用宝官网-全网最新最热手机应用游戏下载 loads Page 1, runs a search to see if my database of Prospects contains ‘prospectA’, and then if it does it makes the elements of the page visible. The elements themselves (e.g. Video, text etc.) are then populated dynamically (e.g. ‘Current Page Prospect’s Video ID’).

This is all good, and working fine.

My question is whether this is in fact secure or not – in particular, I’m concerned about the step when the page is loaded, and bubble runs a search through all Prospects in my database to see if one matches with the data included in the URL.

For example, is there a risk that someone could somehow extract the list of all Prospects in my database, and then use that information to construct a valid URL needed to load a prospect’s information on a page?

Thanks in advance!

From the Bubble Manual

-Steve

Thanks Steve. Do you have any ideas how I could use privacy rules in this case to keep the data private, while also enabling the functionality of ‘anyone with this link can view this page’? Thanks

Well, AFAIK, “keep the data private” and “anyone with this link can view” are completely opposite things, and a page can’t be both at the same time. The latter means that the page is public; it’s just that the URL is difficult to guess, and so it’s highly unlikely someone who hasn’t been directly provided the link will discover it.

That’s also true for the Google Doc link you referenced as an example. That doc is not “private” at all. If someone with that link posts it to social media or otherwise broadly shares it, then anyone with that link can access the document.

If that’s what you’re after, then sure, it seems like you could just create a URL that would be difficult to guess. Bubble’s new Page Slug feature could come in handy for that. It might be as simple as generating a “hash” from a Thing’s unique ID to serve as the page slug.

If, instead, you’re after truly “private” data, then I think the only way to have direct control over who sees the resource is to require logging into an account on your app.

-Steve


Premium Bubble Plug-Ins

Thanks Steve. Yes, I don’t need the page to be truly private. I’m comfortable with the small possibility that someone could randomly guess the link, but I just want to avoid the possibility that someone (most likely, someone who already has one valid link) could find other valid Prospect slugs if they are somehow being exposed on the page.

Just to double check on that: if I load a page, is a list of Prospects being sent from the bubble server to the user’s computer, or is that search of the database happening entirely on bubble’s server? If the latter, I think I’m good to go because no other Prospect’s slug would be sent to the user’s computer.

If a list of prospects is in the search results (i.e. if there’s a list of prospects on the page somewhere), then yes. The search itself happens on the server. It’s the results of the search that are sent to the client (browser). Again, be sure to use privacy roles to control view access to data.

Thanks. No, there’s no list of prospects in the search results. I’d use privacy roles to be doubly sure, but that breaks the desired functionality of allowing users to view material on a page based only on a unique URL. Thanks!

Hi everybody,

I’m struggling with a similar issue and seems there is no solution. Thing is:
if you have a page with data type “something”, the page is only visible if the privacy rule of this data type is set to “find in searches”. If I uncheck this option, the page is blank (no matter that “view all fields” is checked). So it seems that bubble engine handles addressing a page datatype via unique_id or slug from the URL as a search :open_mouth:

And as far as I understand (or maybe I’m wrong?) if you have a “find in searches” checked, it means that basically everybody can read all data within this datatype.

So, there is no way to securely implement “anyone with the link can view this page” for now?
@emmanuel please help. Thanks a lot!

Hi @twillcs and @oleg.sobolev66 – were you able to find any solution? I am working on similar functionality in my app (data is private, but I want to be able to generate a link that would allow anyone with the link to view a specific record).

I wonder if it can be accomplished via Bubble calling its own data via the API connector.

Just guessing: What about a new data type that’s built for the sole purpose of sharing? You copy over plain text values and such so that it’s shareable in a relatively secure way and you can apply different privacy rules without affecting the main source of the data. You’d need to build some backend workflows to update this secondary sharable data type if the main one changes. Just an idea I had.

I’ve pondered this subject for a while because I eventually want my users (who are business owners) to provide URLs for invoices to their customers that can be paid online without needing their customers to have a password or anything like that.

1 Like

Thanks for taking a look! I could see that working, or a similar approach where you create a “code” field which is empty, and then when you want to share an entry, the workflow populates the code field and uses it in the link you send (link would use the code as a parameter that Bubble uses to find the entry). You can then use privacy settings to only make entries public only when the code field is used.

Both this approach and the datatype dupe approach you mention basically create a subset of the database which is “public” and therefore is potentially findable.

If information is sensitive, I wonder if there’s a way to use the API connector to connect Bubble to itself, so that a code is sent and Bubble checks it on the backend, and then sends back data via the API connector only if the code matches something in the datatype. I’m learning about these types of lookups currently and will post if I figure it out.

But it sounds like there’s no way unfortunately to accomplish such a link via the regular privacy rules and search functionality.

Hi @BrianHenderson I have the same use case. Did you ever figure out a way to do the ‘anyone with this link can view this page’? thanks!

Hi @42.decaen

Yes! Although I haven’t implemented it quite yet. I will send an email with the invoice attached as a PDF, and the link in the email will take them to a page that simply states the invoice number, the amount due, and with inputs to enter credit card payment information online. If they wish to use a saved payment method, then they will have an option to sign in. Once signed in then they’ll securely have a way to view past invoices and manage payment methods and so on. This is the method that QuickBooks Online uses and so I’m going to blatantly be “inspired” by their design :laughing:

So, long story short, in my privacy rules then there’s only a very small amount of information I need to make publicly available for quick and easy payments and I can also provide a clear path to sign in for more advanced functionality.

This is what i ended up doing, works very well for my use case (creating a new thing with just the data needed, publicly visible, with a backend workflow to delete the thing after 48 hours of being sent to user via SMS) Works well :heavy_check_mark:

Thanks @BrianHenderson ! Makes sense, I will go ahead and implement a similar approach

Btw @BrianHenderson quick question. How did you build your invoices? After much research and various trials, I’ve settled on an html to pdf API service called pdfmonkey.io, this seemed to be the most stable solution for me.

Another alternative is to allow an API to be ran between a set threshold that can be used to scrape the data you need, but then won’t work after a specified time. You can add a “timed” parameter in your API and make it so it wont collect data AFTER the specified time. This way YOU DON’T need to mess with privacy settings, and can keep everything private at all times, with a timed lock.

Thank you. However, I don’t want the link to expire so i guess this solution won’t work.

Add a following a workflow to delete the pin after?