Forum Academy Marketplace Showcase Pricing Features

Is there a way to make privacy rules for one data type be dependent on another data type?

I’m getting ready to go live with an app and am wanting to be sure I have privacy set up so that sensitive data is not accidentally compromised. I have a lot of “dependent” data that should only show if linked items are visible to a user but am not seeing any sort of feature in the privacy area that says something like “if linked value is visible to user.”

For example, let’s say I have the following tables:

Report:
Date
Title
Published to User? (e.g., Yes, No)

Report Content:
Item (e.g., Button, Text)
Item Position (e.g., 1, 2, 3)
Linked Report
Published to Report? (e.g., Yes, No)

In this scenario, the items are things like buttons, text, and images, but some of them are part of a draft while others are live. I’m wanting to ensure that a user can only see the Report Items if the related Report is published.

Is there some way to set this in privacy? I know I could enforce this via workflow logic, but I need to be certain a nefarious user couldn’t somehow get to data.

There are a few guides - I found this to be the best (for my little brain) There are others. https://nocodenohack.com/app?tab=home - run this to audit your app and get a link to the best explanation on Bubble Security - and get a security scan when ready EUR 350 - no doubt good value also. (I do not work for these guys just like their stuff)

In your case I think the answer probably lies with designing your database so you can implement the rules. As you are hinting a “cart” is not an “order”, and maybe treating them as quite separate things will make the design of the privacy rules clearer. (or not :slight_smile: )

1 Like

@lindsay_knowcode, thanks for providing that.

Yeah, the example I used for orders/cart isn’t really representative of the actual scenario, so perhaps I should present that instead to better explain.

Just updated the OP.

Privacy rules are engineered for speed since they are evaluated in the backend every single time a data type is accessed. In fact, add too many privacy rules and you’ll notice db speeds becoming sluggish.

Anyways as a result, the expression editor in privacy rules is much more limited as you may have seen. Bubble won’t let you perform a db lookup for a separate data type to determine if a record can be accessed. It is too ‘expensive’ of an operation to allow for the privacy rules engine to efficiently process in the background all the time.

Perhaps you create a field in Linked Report called authorized user or list of authorized users

Then, inside of privacy rules for Linked Report construct the rule
when list of authorized users contains current user

This will allow you to restrict data to authorized users only. You’d need to build your app logic to add the current user or assign other users to be able to view the thing.

You can also create a user type.
when current user's type is admin

would let any user tagged as ‘admin’ to be able to view the record.

1 Like

You can create a privacy rule when the item is a data type. But you can’t go two levels deep do you would need to store the published state on the report. This item report is published, view all fields.

But as with so many things they’re are a lot of ways to solve this as mentioned above.

If you want to make sure you’re safe and secure, check your app here: check.ideable.co