Forum Academy Marketplace Showcase Pricing Features

Making files private not really private... I don't think

Okay I am pretty sure I have found a pretty big flaw in the private uploader settings

check this out
https://bubble.io/appeditor/see_file/odt/test/f1655836081534x205582780596945700/this%20is%20not%20really%20private.txt

This link is private but the moment I change the beginning of the link to

https://opendoors.cloud/version-test/fileupload/f1655836081534x205582780596945700/this%20is%20not%20really%20private.txt

Everyone can suddenly see the document. Correct me I am wrong but if someone gets the link for this file they can infact access it without being logged in?

Appreciate any clarification here.

Thanks Alex

did you define privacy rules?

the first one are private

This is from the editor. The link is different and related to who can access editor, (that doens’t apply the same rules that privacy rules do ;).

1 Like

It is still only one file which has been uploaded. Depending on how you access it changes whether it is private or not. Ergo the file is accessible without logging in. Could you access the file?

The strings after https://bubble.io/appeditor/see_file/odt/
Are exactly the same. I can copy https://opendoors.cloud/version-test/fileupload/
And replace the first string and all my “private files” are accessible regardless of privacy settings.

I would love to test this further can someone send one of their “private” links to see if it is cross-platform accessible

Like I told you, it’s all related to the privacy rules. I don’t talk about “make this file private” option. Go in data tab and check your privacy rules.

when you access it from editor, Bubble generate a different url (this is the “see file” url). Because from editor, app admin can view everything, no matter what you have set in privacy rules. From the frontend, (or with the file link you send that use the opendoors.cloud url), it’s all related to the privacy rules.

Here’s a reference that may help you understand

My apologies but I don’t think you have understood. The privacy rules are set, I only uploaded the file once, the file is attached to a database entry where the file attachment privacy rule is set, no one who is not logged in should be able to see the file. The first link shows this has worked. But if I change the beginning of the link, the file can be opened anyway.

“when you access it from editor, Bubble generate a different url (this is the “see file” URL).” I think this part of your comment is what I am talking about => yes it does generate another URL but the URL is only different in the beginning string, the end string stays the same.
Again please feel free to send me a link to a private file to test this, I think by changing the beginning it can be opened regardless of being logged into the editor or not.

Can you share your privacy rules?

here’s a link with correct settings:
https://draweb.bubbleapps.io/version-test/fileupload/f1655896904569x581269245745330600/14666089_534539540075819_5827987083581825229_n.jpg

And just in case, same file from editor
https://bubble.io/appeditor/see_file/draweb/test/f1655896904569x581269245745330600/14666089_534539540075819_5827987083581825229_n.jpg

The link are different. But the one from editor is generated based on the editor access rights while the file one is generated base on the privacy rules.

If there’s no privacy rules applied, it will be a direct link to amazon s3

1 Like

Oh this makes me happier! I can’t get into yours
I think I would have to show you my privacy settings in a more private setting,
Is there another way I can show you. Thank you for your help

You can send a PM here