Privacy Rules: see only the thing attached to your user

I have a form that temporary users can only fill out only after entering a valid access code. I have an “Access Codes” data type with the code and an expiration date and an “Access Code” field on the “User” data type. (The “Access Code” field is of the type “Access Codes”)

The temporary user goes to a page where they fill out their name and enter an access code. When they submit this, it triggers a backend workflow that checks if the code they entered is a valid, non-expired code. If the code is valid, the code is added to their user via the access code field. (This is done with a backend workflow so I can ignore privacy rules without exposing all access codes to the user.) Once this is done, the front-end checks if the current user has an access code, and navigates to the page with the form.

The problem I’m having is that I need to allow the user to see their own access code (the access code field on their user), but not all the access codes. My “User” privacy rules for “When this user is current user” allows the user to see and search for the “Access Code” field. My “Access Codes” privacy rules for “When this access codes is current user’s access code” allow viewing and searching for all fields.

The debugger is telling me that the access code field on the user is being hidden by a privacy rule. This means I can’t check for an access code and forward to the next page. What am I doing wrong here?

Update: Even when I set the “Everyone Else” privacy rules for both the user and the “Access Codes” to be able to view and search for access codes, it’s still getting blocked. Am I running into a bug?

Check out this Privacy Rules guide by Bubble.

1 Like

Along with reading manual as @johnny said can you please share screenshots of privacy setup to make it clearer?

1 Like

Yeah so you have the right idea to have the access codes private. Keep it that way.
Again, perfect idea to have a backend workflow handle the access codes.

At the end is where we can change it a bit to accomplish what you’d like.

  1. Let’s add another field to the User: Validated? Type Yes/No - - Default to No
    Privacy setting for this new field should be viewable for the current user.

  2. On the page, if user’s Validated is Yes Navigate to the page with the form.

  3. At the end of the backend workflow make it so the validated = yes if the access code matches or is valid.

That should be it. If the page it goes to is linked to that access code then you can create yet another field on the User that is viewable to the current user only, and call it “CurrentPage” which that backend validation workflow can make the page they can view visible to the user there :slight_smile:

Thank you all for the responses! I’ll might just end up doing something similar to what @jobs suggested, but I’m still confused about how it’s working right now. See attached screenshots:

For the user:

And here is the error I’m getting:

Note: I know these privacy rules are NOT enforcing the security I want. I just can’t figure out why this is blocked even with the most lenient privacy rules.

Just want to make sure, you’re actually logged in as the user, right?

No, I’m not logged in at all. I want this to work with a temporary user. I was thinking that since bubble creates a temporary user for every person on the site, that “This User is Current User” would apply even if that user isn’t logged in. Based on the other fields I can see in the debugger, it appears this is working.

However, you’ll notice that even with the access code viewable by “Everyone Else”, I still get the same message about it getting blocked.