Privacy rules do not prevent modifying data

This came as a big surprise to me (having spent more hours with Bubble than with my family the past year!), so I wanted to share with the rest of you:

Bubbles powerful Privacy rules feature only protects viewing data and not editing. Why is this a big deal? If you can’t see the data, how should you ever be able to modify it?

Let’s take an example: say you created a forum app, and there is a page for a thread. Only certain users have access to this thread. If someone else go to the URL of that page, they will just see an “empty” page where all content is missing. So far, so good. - Bubble’s privacy feature works it’s magic. At the bottom of the page, there is an input field, where a user can post a comment in the thread. If the user now enters a comment here, that will actually be added to the thread, even though the thread “thing” is protected with privacy rules! Yes, this took my by surprise. But it works as designed.

It’s not difficult to fix: you just add the same rules as you have in your privacy settings to all modifying actions in your app :fearful:

6 Likes

Hello Soeren,

I have just noticed the issue you are talking about. Therefore, I wondered if adding privacy settings to every single workflow related to data editing/creating was a secure way to fix the issue ?

Thanks for your reply