List of UserTypes - Possible with User Type = Data Type?

Hi Bubblers,

This is a combo database and security question.

Is it impossible to create privacy rules based on datatype (as opposed to Option set) UserType if the UserType field on the User Data Type is of data type UserType?

I am trying to move away from Option Sets for defining the User Types because Option Sets are visible in the browser so putting User Type in an Option Set is like giving hackers a road map. But have at least one app in which I can assign multiple User Types to one user. It allows you to have people wear many hats and take some of their rights / access away as the organization grows and new people take over responsibility for parts of the job that multi-hat user has been covering up until then.

However, I am starting to conclude that I am going to have to choose between improving my security on Bubble and having the flexibility that a list user types provides. If anyone can set me straight on this issue, PLEASE LET ME KNOW!!!

The detail.

I am able to define UserType as a LIST for field usertype in User, but when I go to define a privacy rule for data type A and say when Current User’s UserType contains i hit a deadend because there appears to be no way to do a search for UserTypes in privacy rules.


Am I missing something here or is that really the case? The privacy rules interface is not the most intuitive so maybe I am. I was so used to defining usertypes as option sets that it took me a bit of time to figure out how to configure a privacy a rule User’s UserType is NOT a LIST. When it is a UserType record selection, you are given the chose of the fields of the UserType Record to choose from.

When UserType is defined as list in the User datatype, you have to use contains - and it let’s you select contains but you do not get a list of the UserType fields that you would go on to do field specific contains against.

When you have an entire app built around a user having a list of user types redesigning the security to make up for this limitation is a serious pain.

Thanks in advance for your feedback.

KH

PS - By the way, does anyone else think that it is about time that Bubble added a security section to the forum. They bought an entire company to beef up what was clearly a weak point and yet they still don’t have a separate section on the Forum for us to exchange idea???

@georgecollier @AliFarahat @jagdish_bajaj @tylerboodman @Alter345 @cmarchan @boston85719 @johnny @ Jici @chris.williamson1996

Gents - you have all been great help in the past so I am begging for a speedy answer.

I have been waiting three days for tech support to confirm whether this is a bug or a “feature” and not knowing has me dead in the water as don’t want to give up on improving security by not using Option Sets only find out later that I was experiencing a temporary bug in Bubble or had missed some obvious way of setting it up.

If you can have a look at this and let me know if it is or is not possible to build my security Users have the field userType defined as a list of UserTypes where User Type is a data type as opposed to an option set, I would really appreciate it.

I think you might be overthinking the option set issue because even if someone knows that the “Super admin” role exists that won’t really help them

In privacy rule expressions its known that you can’t search for a Thing

I don’t know if I was following your setup 100%, but if it helps at all, maybe make the UserTypes field a List of texts field, and put the names of the UserTypes and do an expression like this :grimacing:

1 Like

Thanks for chiming in Tyler - I am not clear how big a deal UserType as an option set is. it was highlighted as a risk in Petter’s Amlie’s book on security and I wanted to follow best practice but it is turning out to be more trouble than it is worth. I figure that Bubble exposing every apps data base schema is potentially a much more useful treasure trove of information that could be used by hackers. But I thought that this was one vulnerability that I could mitigate.

Hopefully some other can confirm but I don’t see having roles in an option set is a big deal. If you had actual data in an option set then that would definitely be bad. But simply seeing that Super Admins exist is not really a surprise for any app.

I think you’re probably right. It would be nice to be sure though. Anyway, I can’t wait any longer so I’ve gone back to To using option sets. Arrggh😬

1 Like

@kevin.hunt - I think that using Option Sets is fine.

Revealing the list of user types publicly is harmless and won’t create a security issue, assuming that you have setup privacy rules well.

1 Like

Thanks Jagdish. As I have gone back to Option Sets I hope you are right!
Cheers,
Kevin

I prefer using a boolean field for admin roles.

If security is paramount and you want to go the extra mile then you could create a permissions/role data type that links to users. Then on pages that require admin checks, call a backend API to return some sort of authentication token and store the verification in session storage.

I’m setting up something similar for an app I have in development for our finance department, but I do the authentication in my own Cloudflare backend.

What does that look like in Bubble?

Can just be a token that you update in the user field that matches a key in your backend for that session

1 Like