Forum Academy Marketplace Showcase Pricing Features

Publicly accessible files when uploaded via File Uploader


I created a simple webpage with a FileUploader plugin, which allows me to upload files.

I linked that with a simple workflow (see attached), that creates a “File” object in the database.

I then created a simple rule in the Data -> Privacy section (see attached), saying only the logged-in owner should have access to that file.

The problem I have is, if I copy the URL of the uploaded file when logged in as that user, I can then publicly access that URL from any browser in private mode. In other words, there seems to be no authentication done by bubble’s servers before the file is made available, if the consumer knows the URL.

So what am I doing wrong? Or is it a flaw in bubble?



Hi @manu Did you ever get help with this?

This is a pretty big vulnerability. Did you ever find a solution?