Images in private app

Hi,

I have a private app, closed with a password and it seems like when I upload images, the images are publicly accessible, could you please confirm me this @emmanuel ? And is there a way to limit their visibility publicly ?

Thanks!

Hi @recrutbox, did you set the images to only be visible to logged in Users? Also, do you have any privacy roles in place where only logged in Users can view that image field?

1 Like

Hi @fayewatson, I realise I have to clarify a bit more my point: I was not refering to pages inside the app: when I upload an image (whether it’s a public or private app), I can see an url assigned by Bubble.

For instance, in this example page: https://app0test.bubbleapps.io/version-test/image
the url assigned is: //s3.amazonaws.com/appforest_uf/f1486390527751x516647380776703360/Koala.jpg

and so, the image is publicly accessible no matter my app or page is limited in access.

Ohh, right. I’m not sure if there is a way to prevent that when using the image element. If you want to ensure that certain images can’t be viewed at all with the link, I believe you can use a group element and have the background style be the image. Then if you are allowing people to download those images, you could have a download button which lets them download the image on-click, but never opens in a new tab.

1 Like

@fayewatson is right, it’s about having some privacy rules for attachment set up. This is an advanced feature, but possible. Then it will only be visible if the thing attached to it is visible to the current user.

For example if you would prefer that only Users who are logged in can view an image, you could set up a privacy role similar to this:

Here, only logged-in Users can view the Photo, Created Date, Modified Date, Created By fields within the “Listing” data type (though this could be any data type of course). Then “Everyone Else” cannot view those fields or find them in searches.

(Privacy Roles are accessed by going to Data → Privacy → “Define A New Role”)

First, thank you for explaining in detail your reply @fayewatson
I tested your solution and it works well for pages inside Bubble but even with these privacy rules, the images are still accessible through url links where Bubble stores the uploaded pictures (for instance: //s3.amazonaws.com/appforest_uf/f1486390527751x516647380776703360/Koala.jpg).

Is there another way to limit this access? @emmanuel

I precise my goal here is to limit access to images of my private app, to keep them confidential until the app launch.

Can you share some screenshot of your setting of the Image uploader?

Yes, here is all the settings

You want to create the pic first, and then attach the image to the pic. since your privacy rule applies to the pic.

Yes, when the button is clicked, I create the pic and attach the image to it, via the picture uploader value, so I don’t understand what your answer is, sorry?

So since a file is attached to a thing when it’s uploaded, the thing has to get created before the image is uploaded. So you can change your logic a little bit, with the thing created beforehand.

Ok, I just applied your suggestion: I first created the thing with a different event and then I made changes to this thing when the button is clicked in order to attach the image to the thing, but I don’t see any difference on the result: the image indeed follows the privacy rule on the Bubble page but if I right click on the image to copy the link, I can still see the image, whether I’m logged in or not to Bubble.

Can you share a link to your app in the editor?

Yes, here is the link: https://bubble.io/page?type=page&name=image&id=app0test&tab=tabs-1

You’re not attaching the image to the pic, but to the current user. Look at your privacy rule, it’s not on the user, but the pic. See what I did (you also need to set the pic somewhere so that the file uploader knows which pic we’re talking about, which is why i display data in the group).

Now this image is protected.

1 Like

Ok, now I understand my mistake, I attached the image to the current user, it seemed wrong indeed but I couldn’t find other option.
Thanks for your help, I wouldn’t have found how to make it work by myself!

1 Like

I got stuck on this for hours as well. Ended up creating the private object on page load.

I’m having hard time implementing this.

Same here, has anyone got an example of the solution? :smiley: