Huge security issue filtering repeating group

Hi all,

Today for the second time a customer reported that he can see data of all other customers in a multiple repeating groups on one page. The way I set it up is as follows:

  • Repeating groups displays all records related to ‘this page’s record’ (the record transferred from the previous page)
  • Normally this filter is applied correctly
  • Sometimes the filter is not applied and all records show up :frowning:

Sometimes it seems to happen that the repeating group forget’s to show only ‘this page’s record’ but simply shows ALL records.

Ho can I ensure the repeating group only shows records related to ‘this pages record’ and NEVER shows anything more then that. I rather have an empty repeating group then customers seeing data from others!!



You need to implement privacy data roles in your app ASAP especially if you have active users in production (!!!).

These settings prevent any possibility of the incorrect (however you wish the define that) data being queried by users and the public at large. I think you should still report the issue of a filter not applying on page load as a bug report:

Might need to see more to know the exact cause and fix, but in general…

A quick fix might be to leave the Data Source for the repeating group empty, and then in the Conditions Tab:
When This Page’s Record is not empty
Data Source - search using the Current Page thing constraint

When the Current Page record is empty, the search is being made and all your app data is being shown as the constraint for the Current Page thing is empty.

The fix you want to eventually make is going to be setting Privacy Roles on your Data Types, this will ensure that a User cannot accidentally see data they are not supposed to see

Geoff | Top Shelf Templates
Check out the Best Selling Bubble Template
Check out a most popular Bubble Template (FREE)

This is a good interim solution you can implement right away. Good call @gf_wolfer – I am using similar methods, this also helps reduce page load times in my experience since you’re not trying to execute multiple searches at the same time, instead waiting for conditions to pass before adding a new query to the DB.

1 Like

Thanks for your answers!

I decided to implement privacy/security rules immediately, but before pushing it into production. Is the following a correct rule?

When do I need to enable auto-binding?

Thanks again!


One of the security rules failes with an error, I don’t see how I can fix this one:

This is the only ‘thing’ that is not created by the logged in user in the first place, the ‘parent thing’ is, so I try to reference to the ‘creator’ of the parent thing.

It doesn’t only show the error, it also doesn’t show the data in the app :wink:

Will privacy settings slow down an app?

You’re not alone! This is a current limitation on Bubble’s end (as stated in the error). One method of getting around this is storing the creator’s UID or email address directly on your “Reactie_extern” table – instead of trying to reference a thing within a thing, you could say “This Reactie_extern’s Custom_Creator_Field is Current User’s [insert UID/email]” which would be a text data type.

Maybe others can chime in on what works for them. I have been using this method.

Not from what I can tell. None of my apps have reached thousands of active users so I can’t say for certain this won’t ever be an issue as I scale up. Bubble staff would be more knowledgeable than myself in this area. Keep in mind the biggest performance hits will come from other factors. There is a great thread on app performance here: Performance Q&A guide