Image security/privacy on S3

Hey everyone, I have a question about how image privacy works with Bubble. I have recently made an app where users are asked to upload photos of sensitive information & so I’m wondering how to set things up properly so that the photos can only be seen by that user and admin users. I see that images are uploaded to AWS by default, but if you copy-paste the image URL into the web browser it looks like anyone can see it! Is this standard behavior? What are the best practices for keeping these images private?

Some things I’ve recently done:

What I’m still unclear about is the s3 url – is that still public to anyone? I think there’s something I’m not quite understanding…

Thanks for any help!

Hi there @cstudio,

In your picture uploader, this is an option for you to make it private attached to a user, so that specific user is the only one that can view it.

Hey Johnny, I’m guessing you mean this which I’ve just recently enabled:
Screen Shot 2021-12-06 at 3.52.12 PM

Does that mean the admin users won’t be able to view the image? What about being able to view the image in the database? Will that be possible with this checked? And finally, what about the image that’s actually hosted on s3 – who will be able to see that? Anyone with a link?

Thanks for any extra info :slight_smile:

Hey @johnny ,

I actually just tested this out and it does exactly as you said. The only problem though, is that I need the image to be visible to admin users as well (either as an admin user using the app itself or directly through the bubble database). Is that possible?

Attach this file to

This option is only visible if ‘Make this file private’ is selected. Private files uploaded with this element are permanently attached to a thing, which is used to determine who has access to view the file. Only users who have the ‘View attached files’ permission for that thing can view the file. Go to the Privacy section to create privacy rules that grant this permission. If the value of ‘Attach this file to’ is empty or the thing does not exist, the file will be visible to anyone who has the link, which is the same as if ‘Make this file private’ was not selected.

You can create a privacy rule for that.

Thanks, I did see the docs but was having a hard time making sense of it. Thanks for your help!

One more question – I’ve just added the privacy rules so that admin uses can see as well but what about being able to view the data directly in the Bubble database? Is that possible? And if so, how can I set that up properly?

What do you mean in the Bubble database? In the file manager?

Yea like directly within “App Data”

b/c I just tested with that “attach this file to” set to current user and I wasn’t able to view the file on s3. But I need to be able to see that.

So to clarify, the only people I want to see this particular image are:

  • The current user who is logged in
  • Users where “isAdmin” is true
  • Anyone who has access to the Bubble backend

Hmm, not sure about this one.

Maybe someone in the community knows the answer to this or @jess?

Just create a user for anyone who has access to the Bubble backend and set “isAdmin” to true.

Ohhh I didnt’ realise the Bubble backend respected my app’s users! Interesting, thanks so much for the help everyone!

That’s probably a bit too general of a statement - the Bubble backend will still show App data to everyone who has access to the backend. However if you are finding that opening these private images (in App data) in a new tab is not working for you, then it would make sense that Bubble needs a user record to check that they had permission to access it.

Hmm ok, I’m still not 100% clear but I managed to get it working.

My settings are:

  • For the picture uploader, enable 'Make this private" and I attached it to “Current User”
  • Then in the Privacy settings being able to view that image is only set to “Current User” or where “isAdmin is yes”

How this worked in practice:

  • When viewing the data in the database as a Bubble user, I was only able to view the image if I was logged in to my app as an admin user (or the owner of the image). If I wasn’t logged into my app (and was only logged in to Bubble) I wasn’t able to see the image.
  • The same is true if trying to view the image by copy-pasting the link into the browser. I was only able to see it if I was logged in to my app as the Current User or as an admin.

Is that expected? Or have I still misunderstood something?

@cstudio that all sounds expected to me.

1 Like

hey @cstudio im trying to figure out how you did this. In the Privacy Settings, could you copy/paste or screen shot what the rule syntax is? Is the rule set against the User type, or against the db type that the file is being saved in?
Im having trouble with the link still working in another browser for the first 5 minutes, no matter what the privacy rules are. after 5 minutes, it seems to become blocked.
For me, if i leave everything as public, i can view the file in the viewer no problem, and of course via the link. But when i set it to private, i can’t make the viewer work at all, and yet the link is still showing the file. So its the worst case :slight_smile: meaning, the world can see my file, but i can’t via bubble! not sure how i got here.

Hey sure, would be happy to share what I’ve done.

For me, the data points that I need hidden is on the User type. So that is where I’ve set the privacy rules & I have 3 rules set up:

In order for me as an admin to be able to see other user’s data, I need to be logged into my app (and not just logged into Bubble). If I’m not logged into my app within the browser (and I’m only logged into Bubble), I can’t see any of the data outside of “Everyone else (default permissions)”.

Hopefully that helps! If you need any more clarification, let me know

thanks @cstudio, i really appreciate this detail. I think the problem im having is that when i log the user out, it doesn’t seem to make a difference. at least for a few minutes. So i’ve set up the rules as you did. Then uploaded the file with privacy set against the user. I save the file to a database. I have a viewer on the page to display the file. all works well. To test the privacy, i logged the user out. I verifed the user is logged out by setting some condtional properties on logged out etc… everything looks like the user is logged out. The image still appears AND the link is still active. at least for about a minute or 2. then final the image disappears and the link triggers and access denied. So it looks like the privacy rules are seriously lagging behind the actual state of the rule. any thoughts?

Hmm yea that seems strange! Unfortunately I don’t know enough about the privacy settings to give you other things to look into (I actually find them pretty confusing myself). During my testing everything seemed pretty instant as I would expect. Are the files you’re working with really big or anything? I’m not sure that would even matter but just a thought.

I find the first bullet point works as expected, but the COPY-PASTING of the link will show the file/image without any privacy rules whatsover for the first 5 minutes.

A test would be this. Upload a file in your app. View the image/file in the app (i assume you have this somewhere in the app). Now right click and copy the image address. Now log out of your app. open another browser window and paste in the link… presto, image is viewable OUTSIDE your app, and outside of all credentials. This test shouldnt require any coding etc. could you try this and see if you get the same result? sorry to be a pain…

1 Like