Forum Academy Marketplace Showcase Pricing Features

Making "not visible" a button is not enough privacy?

Hi, I just saw this video: How to Setup Privacy Rules | Bubble Tutorial - YouTube

In the minute 14:03 they say that making a button “not visible” won’t avoid some users from triggering the button’s workflow, so on top of setting the privacy conditional for hiding the button, I would have to set conditionals to the workflow as well.

This sounds like unnecessary double work…

Can anyone describe me cases where, although the workflow trigger button is already not visible, unauthorized users will be able to trigger this buttons?

Thanks

Hey,

they are absolutely right. If you only rely on the visibility of the button (front-end side) the attacker can manipulate the DOM and set the button to visible again.

Therefore, it is recommended to work with conditions on the workflow side (backend) as well.

It is not unnecessary double work.

Many greetings.

Sarah

3 Likes

Thanks!

Glad it helped.

Visibility is never enough for privacy then?

For example, if I make a Repeating Group not visible for certain user types there are ways they can make it visible nevertheless?

This workflow would be reliable to keep privacy?

image

You are always on the safe side if you work with data privacy rules. This way, you can determine which data should be seen by users who are logged in / out. Of course, this can get more complex.

I personally always start with data privacy rules if I work for clients and combine them with hiding elements.

1 Like

Another non programmer question…

If I don’t set privacy rules, can someone access all information within my databases? Is that accurate?

This question is too broad to be answered correctly. This depends on many different scenarios (e.g. do you expose your data API without correctly set data privacy, which items do you show on the page, and many more).

I didn’t want to make you insecure with my statements above.

Take the time to learn how to set data privacy rules and other security related topics for your Bubble application.

Here are some resources we developed:

If you still feel insecure, find someone experienced to have a look at your individual application. This is way more efficient.

2 Likes